diff --git a/.gitmodules b/.gitmodules
index cd21e647e1..eb83b97255 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -1,4 +1,4 @@
 [submodule "contentctl"]
 	path = contentctl
 	url = https://github.com/splunk/contentctl.git
-        ignore = all
+	ignore = all
diff --git a/dist/DA-ESS-ContentUpdate/default/analyticstories.conf b/dist/DA-ESS-ContentUpdate/default/analyticstories.conf
index 9364d24527..c54041109b 100644
--- a/dist/DA-ESS-ContentUpdate/default/analyticstories.conf
+++ b/dist/DA-ESS-ContentUpdate/default/analyticstories.conf
@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2024-01-10T18:30:46 UTC
+# On Date: 2024-01-10T18:42:59 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############
diff --git a/dist/DA-ESS-ContentUpdate/default/app.conf b/dist/DA-ESS-ContentUpdate/default/app.conf
index 0081cf7013..47f64837dd 100644
--- a/dist/DA-ESS-ContentUpdate/default/app.conf
+++ b/dist/DA-ESS-ContentUpdate/default/app.conf
@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2024-01-10T18:30:46 UTC
+# On Date: 2024-01-10T18:42:59 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############
@@ -10,7 +10,7 @@
 is_configured = false
 state = enabled
 state_change_requires_restart = false
-build = 20240110182836
+build = 20240110184052
 
 [triggers]
 reload.analytic_stories = simple
diff --git a/dist/DA-ESS-ContentUpdate/default/collections.conf b/dist/DA-ESS-ContentUpdate/default/collections.conf
index 1df390aa07..6e1fee08ce 100644
--- a/dist/DA-ESS-ContentUpdate/default/collections.conf
+++ b/dist/DA-ESS-ContentUpdate/default/collections.conf
@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2024-01-10T18:30:46 UTC
+# On Date: 2024-01-10T18:42:59 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############
diff --git a/dist/DA-ESS-ContentUpdate/default/content-version.conf b/dist/DA-ESS-ContentUpdate/default/content-version.conf
index 510015925e..feab843989 100644
--- a/dist/DA-ESS-ContentUpdate/default/content-version.conf
+++ b/dist/DA-ESS-ContentUpdate/default/content-version.conf
@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2024-01-10T18:30:46 UTC
+# On Date: 2024-01-10T18:42:59 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############
diff --git a/dist/DA-ESS-ContentUpdate/default/es_investigations.conf b/dist/DA-ESS-ContentUpdate/default/es_investigations.conf
index 600c24768b..c30ea4281b 100644
--- a/dist/DA-ESS-ContentUpdate/default/es_investigations.conf
+++ b/dist/DA-ESS-ContentUpdate/default/es_investigations.conf
@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2024-01-10T18:30:46 UTC
+# On Date: 2024-01-10T18:42:59 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############
diff --git a/dist/DA-ESS-ContentUpdate/default/macros.conf b/dist/DA-ESS-ContentUpdate/default/macros.conf
index 088e3caadc..ce9c9240ab 100644
--- a/dist/DA-ESS-ContentUpdate/default/macros.conf
+++ b/dist/DA-ESS-ContentUpdate/default/macros.conf
@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2024-01-10T18:30:46 UTC
+# On Date: 2024-01-10T18:42:59 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############
diff --git a/dist/DA-ESS-ContentUpdate/default/savedsearches.conf b/dist/DA-ESS-ContentUpdate/default/savedsearches.conf
index 20c649c332..7d917fc03a 100644
--- a/dist/DA-ESS-ContentUpdate/default/savedsearches.conf
+++ b/dist/DA-ESS-ContentUpdate/default/savedsearches.conf
@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2024-01-10T18:30:46 UTC
+# On Date: 2024-01-10T18:42:59 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############
diff --git a/dist/DA-ESS-ContentUpdate/default/transforms.conf b/dist/DA-ESS-ContentUpdate/default/transforms.conf
index c310daa25f..ae18dd4ab0 100644
--- a/dist/DA-ESS-ContentUpdate/default/transforms.conf
+++ b/dist/DA-ESS-ContentUpdate/default/transforms.conf
@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2024-01-10T18:30:46 UTC
+# On Date: 2024-01-10T18:42:59 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############
diff --git a/dist/DA-ESS-ContentUpdate/default/workflow_actions.conf b/dist/DA-ESS-ContentUpdate/default/workflow_actions.conf
index 43c3e2d92a..422a4300ba 100644
--- a/dist/DA-ESS-ContentUpdate/default/workflow_actions.conf
+++ b/dist/DA-ESS-ContentUpdate/default/workflow_actions.conf
@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2024-01-10T18:30:46 UTC
+# On Date: 2024-01-10T18:42:59 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############
diff --git a/dist/api/macros.json b/dist/api/macros.json
index cfe83eb250..2bae5e6ac5 100644
--- a/dist/api/macros.json
+++ b/dist/api/macros.json
@@ -1 +1 @@
-{"macros": [{"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_domain_admin_impersonation_indicator_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "citrix_adc_and_gateway_unauthorized_data_disclosure_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "known_services_killed_by_ransomware_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_command_and_scripting_interpreter_path_traversal_exec_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_defense_evasion_delete_cloudtrail_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_activity_related_to_pass_the_hash_attacks_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_nginx_ingress_rfi_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_s3_access_from_a_new_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unknown_process_using_the_kerberos_protocol_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "petitpotam_network_share_access_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "schedule_task_with_http_command_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_visudo_utility_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_dontshowui_filter"}, {"definition": "sourcetype=kube:container:controller", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data. Replace the macro definition with configurations for your Splunk Environmnent.", "name": "kubernetes_container_controller"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_aduserresultantpasswordpolicy_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_defender_asr_registry_modification_filter"}, {"definition": "source=\"WinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "remoteconnectionmanager"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_wuserver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "pingid_mismatch_auth_source_and_verification_response_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_attackers_scanning_for_vulnerable_jboss_servers_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ec2_instance_started_with_previously_unseen_instance_type_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_saml_access_by_provider_user_and_principal_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "serviceprincipalnames_discovery_with_setspn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_mshta_url_in_command_line_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "exploit_public_facing_application_via_apache_commons_text_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "winword_spawning_powershell_filter"}, {"definition": "index=netops sourcetype=\"f5:bigip:rogue\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "f5_bigip_rogue"}, {"definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "wineventlog_system"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_msiexec_spawn_discovery_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "access_lsass_memory_for_dump_creation_filter"}, {"definition": "index=_internal sourcetype=splunkd_ui_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "splunkd_ui"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_possible_append_command_to_at_allow_config_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_sharphound_usage_filter"}, {"arguments": ["field"], "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "name": "security_content_ctime"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_dns_failures_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "confluence_data_center_and_server_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "supernova_webshell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_successful_authentication_from_different_ips_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_aduserresultantpasswordpolicy_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "services_lolbas_execution_process_spawn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_credentials_from_password_stores_chrome_login_data_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ws_ftp_remote_code_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_bypass_mfa_via_trusted_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "zeek_x509_certificate_with_punycode_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_unauthorized_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_installutil_uninstall_option_with_network_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_domaintrust_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "extraction_of_registry_hives_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_digital_certificates_lack_of_encryption_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "process_deleting_its_process_file_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_snake_malware_registry_modification_wav_openwithprogids_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_reflected_xss_on_app_search_table_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_rundll32_dllregisterserver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_rtlo_in_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "abnormally_high_aws_instances_terminated_by_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_unauthenticated_log_injection_web_service_log_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gsuite_email_with_known_abuse_web_service_link_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_multiple_failed_requests_to_access_applications_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_registry_key_modifications_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "scheduled_tasks_used_in_badrabbit_ransomware_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_office_product_spawning_msdt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_rapid_authentication_on_multiple_hosts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_process_with_anomalous_resource_utilisation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_data_destruction_recursive_exec_files_deletion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_proxyserver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_number_of_service_control_start_as_disabled_filter"}, {"definition": "sourcetype=stream:dns", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "stream_dns"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_autoit3_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_high_number_of_failed_authentications_from_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_binary_proxy_execution_compiled_html_file_decompile_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "extended_period_without_successful_netbackup_backups_filter"}, {"definition": "(Processes.process_name=netsh.exe OR Processes.original_file_name=netsh.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_netsh"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_stop_win_updates_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_special_privileged_logon_on_multiple_hosts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_application_registration_owner_added_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_unusual_number_of_failed_authentications_from_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "certutil_with_decode_argument_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multiple_users_failed_to_authenticate_from_host_using_ntlm_filter"}, {"definition": "index=_internal sourcetype=investigation_rest_handler", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "splunkd_investigation_rest_handler"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_ami_atttribute_modification_for_exfiltration_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_excessive_authentication_failures_alert_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getwmiobject_ds_user_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "3cx_supply_chain_attack_network_indicators_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "confluence_cve_2023_22515_trigger_vulnerability_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_exfiltration_over_c2_via_invoke_restmethod_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_diskcryptor_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "hiding_files_and_directories_with_attrib_exe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_edit_cron_table_parameter_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_multiple_appids_and_useragents_authentication_spike_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_detect_attach_to_role_policy_filter"}, {"definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "google_gcp_pubsub_message"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "common_ransomware_extensions_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_process_injection_with_public_source_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_saml_update_identity_provider_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "sql_injection_with_long_urls_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_credential_access_rds_password_reset_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powersploit_gpp_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_regsvcs_with_network_connection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "domain_account_discovery_with_dsquery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabled_kerberos_pre_authentication_discovery_with_powerview_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_obfuscated_files_or_information_base64_decode_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_privileged_object_access_activity_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getdomaingroup_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_remote_service_rdpwinst_tool_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_cloud_provisioning_from_previously_unseen_city_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_provisioning_activity_from_previously_unseen_region_filter"}, {"definition": "sourcetype=gsuite:calendar:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "gsuite_calendar"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "local_account_discovery_with_net_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_file_deletion_in_windefender_folder_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_aws_detect_suspicious_kubectl_calls_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getwmiobject_ds_computer_with_powershell_script_block_filter"}, {"definition": "user.username=admin", "description": "Define your user names which are allowed to connect to your kubernetes cluster.", "name": "kube_allowed_user_names"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "icedid_exfiltrated_archived_file_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_service_stop_attempt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_file_share_discovery_with_powerview_filter"}, {"definition": "sourcetype=mscs:azure:audit", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "azure_audit"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_suppress_win_defender_notif_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_file_on_disk_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_disable_mfa_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_short_lived_domain_controller_spn_attribute_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_valid_account_with_never_expires_password_filter"}, {"definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "splunkd_webx"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_gcp_detect_most_active_service_accounts_by_pod_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getwmiobject_ds_user_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_indicator_removal_via_rmdir_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "common_ransomware_notes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_aws_detect_most_active_service_accounts_by_pod_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_regsvcs_spawning_a_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gdrive_suspicious_file_sharing_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_driver_load_non_standard_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_gcp_detect_rbac_authorizations_by_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_mail_protocol_in_non_common_process_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_network_connections_discovery_netsh_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wbemprox_com_object_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wmi_permanent_event_subscription___sysmon_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_authenticationleveloverride_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "eventvwr_uac_bypass_filter"}, {"definition": "(eventName = CreateNetworkAcl OR eventName = CreateNetworkAclEntry OR eventName = DeleteNetworkAcl OR eventName = DeleteNetworkAclEntry OR eventName = ReplaceNetworkAclEntry OR eventName = ReplaceNetworkAclAssociation)", "description": "This is a list of AWS event names that are associated with Network ACLs", "name": "network_acl_events"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_exchange_web_shell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_rbac_bypass_on_indexing_preview_rest_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "nishang_powershelltcponeline_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "xmrig_driver_loaded_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_privileged_role_assigned_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_rundll32_webdav_with_network_connection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "serviceprincipalnames_discovery_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "macos_plutil_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ec2_instance_started_with_previously_unseen_ami_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "notepad_with_no_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_hosts_connecting_to_dynamic_domain_providers_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_stored_xss_via_data_model_objectname_field_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "abnormally_high_number_of_cloud_instances_launched_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_high_number_of_failed_authentications_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_powershell_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_delete_win_defender_profile_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "elevated_group_discovery_with_net_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_remote_user_account_control_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unusual_number_of_remote_endpoint_authentication_events_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_regedit_silent_reg_import_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "7zip_commandline_to_smb_share_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kerberoasting_spn_request_with_rc4_encryption_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_wmi_impersonate_token_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_information_discovery_fsutil_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_prohibited_applications_spawning_cmd_exe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_rundll32_webdav_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_pim_role_assigned_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "dns_query_requests_resolved_by_unauthorized_dns_servers_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_defender_antivirus_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_access_scanning_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "correlation_by_user_and_risk_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_excessive_account_lockouts_from_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_start_or_stop_service_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "dump_lsass_via_procdump_rename_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_rclone_command_line_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_file_permissioned_application_consent_granted_by_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powerview_kerberos_service_ticket_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_command_and_scripting_interpreter_hunting_path_traversal_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ec2_instance_started_with_previously_unseen_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_registry_bootexecute_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_threatinsight_threat_detected_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_process_instantiation_via_wmi_and_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_msiexec_remote_download_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "macos_lolbin_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_group_policy_object_created_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_abuse_of_secret_by_unusual_user_name_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_cryptography_namespace_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "sc_exe_manipulating_windows_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_add_xml_applocker_rules_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_usewuserver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "password_policy_discovery_with_net_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defenses_disable_win_defender_auto_logging_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "schtasks_used_for_forcing_a_reboot_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unusual_count_of_disabled_users_failed_auth_using_kerberos_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "github_dependabot_alert_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_steal_authentication_certificates___esc1_authentication_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_windows_app_hotkeys_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "fsutil_zeroing_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_possible_append_command_to_profile_config_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_nochangingwallpaper_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_creation_using_registry_entry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_dsrm_account_changes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "trickbot_named_pipe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unusual_number_of_computer_service_tickets_requested_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "log4shell_cve_2021_44228_exploitation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "potentially_malicious_code_on_commandline_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_longpathsenabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_process_instantiation_via_dcom_and_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_unnecessary_file_extensions_allowed_by_lookup_table_uploads_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "batch_file_write_to_system32_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "web_spring_cloud_function_functionrouter_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "verclsid_clsid_execution_filter"}, {"definition": "sourcetype=gws:reports:admin", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "gws_reports_admin"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_edit_user_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_aws_detect_sensitive_role_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multi_hop_proxy_tor_website_query_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "smb_traffic_spike___mltk_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_gcp_storage_access_from_a_new_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_known_graphicalproton_loaded_modules_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_anomalous_inbound_outbound_network_io_filter"}, {"definition": "(Processes.process_name=gpupdate.exe OR Processes.original_file_name=GPUpdate.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_gpupdate"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_runbook_webhook_created_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_at_allow_config_file_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_new_federated_domain_added_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_large_outbound_icmp_packets_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "randomly_generated_scheduled_task_name_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_aws_console_login_by_user_from_new_city_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_non_system_account_targeting_lsass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_new_open_gcp_storage_buckets_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_dns_requests_to_phishing_sites_leveraging_evilginx2_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_detect_sts_get_session_token_abuse_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_concurrent_sessions_from_different_ips_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "drop_icedid_license_dat_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_processing_stream_of_data_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_connhost_exe_started_forcefully_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_indirect_command_execution_via_forfiles_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "github_actions_disable_security_workflow_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_kubernetes_cluster_scan_detection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cobalt_strike_named_pipes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_product_spawning_mshta_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_phishing_detection_with_fastpass_origin_check_filter"}, {"definition": "lookup update=true is_nirsoft_software filename as process_name OUTPUT nirsoftFile | search nirsoftFile=true", "description": "This macro is related to potentially identifiable software related to NirSoft. Remove or filter as needed based.", "name": "is_nirsoft_software"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "allow_inbound_traffic_by_firewall_rule_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_iis_components_add_new_module_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_compute_instance_created_with_previously_unseen_image_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "registry_keys_for_creating_shim_databases_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_api_calls_from_previously_unseen_user_roles_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_raw_access_to_master_boot_record_drive_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_enable_smb1protocol_feature_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_copy_on_system32_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_application_spawn_rundll32_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ssl_certificates_with_punycode_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_external_guest_user_invited_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "logon_script_event_trigger_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_successful_console_authentication_from_multiple_ips_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_installutil_credential_theft_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_writes_to_system_volume_information_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_successful_single_factor_authentication_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_delete_win_defender_context_menu_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_successful_single_factor_authentication_filter"}, {"definition": "(Processes.process_name=msbuild.exe OR Processes.original_file_name=MSBuild.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_msbuild"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_execute_arbitrary_commands_with_msdt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "proxyshell_proxynotshell_behavior_detected_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_network_access_control_list_deleted_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_new_federated_domain_added_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getdomaincomputer_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "create_remote_thread_in_shell_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_added_service_principal_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_system_discovery_with_adsisearcher_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "slui_spawning_a_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_security_logs_using_minint_registry_filter"}, {"definition": "lookup update=true is_windows_system_file filename as process_name OUTPUT systemFile | search systemFile=true", "description": "This macro limits the output to process names that are in the Windows System directory", "name": "is_windows_system_file"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_updateserviceurlalternate_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_php_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_rundll32_startw_filter"}, {"definition": "(process_name= \"arp.exe\" OR process_name= \"at.exe\" OR process_name= \"attrib.exe\" OR process_name= \"cscript.exe\" OR process_name= \"dsquery.exe\" OR process_name= \"hostname.exe\" OR process_name= \"ipconfig.exe\" OR process_name= \"mimikatz.exe\" OR process_name= \"nbstat.exe\" OR process_name= \"net.exe\" OR process_name= \"netsh.exe\" OR process_name= \"nslookup.exe\" OR process_name= \"ping.exe\" OR process_name= \"quser.exe\" OR process_name= \"qwinsta.exe\" OR process_name= \"reg.exe\" OR process_name= \"runas.exe\" OR process_name= \"sc.exe\" OR process_name= \"schtasks.exe\" OR process_name= \"ssh.exe\" OR process_name= \"systeminfo.exe\" OR process_name= \"taskkill.exe\" OR process_name= \"telnet.exe\" OR process_name= \"tracert.exe\" OR process_name=\"wscript.exe\" OR process_name= \"xcopy.exe\")", "description": "This macro is a list of process that can be used to discover the network configuration", "name": "system_network_configuration_discovery_tools"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "petitpotam_suspicious_kerberos_tgt_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "attempt_to_stop_security_service_filter"}, {"definition": "(Processes.process_name=regasm.exe OR Processes.original_file_name=RegAsm.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_regasm"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_nopasswd_entry_in_sudoers_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wbadmin_delete_system_backups_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_dnsadmins_new_member_added_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "allow_file_and_printing_sharing_in_firewall_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_import_applocker_policy_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_suspicious_activity_reported_filter"}, {"definition": "index=*", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "linux_hosts"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "silentcleanup_uac_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "attacker_tools_on_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_curl_upload_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_process_injection_of_wermgr_to_known_browser_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_steal_or_forge_kerberos_tickets_klist_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_process_with_discord_dns_query_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ivanti_sentry_authentication_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_mof_event_triggered_execution_via_wmi_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "pingid_multiple_failed_mfa_requests_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_process_with_resource_ratio_anomalies_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_ecr_container_scanning_findings_high_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_create_remcomsvc_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_default_icon_setting_filter"}, {"definition": "(Processes.process_name=procdump.exe OR Processes.process_name=procdump64.exe OR Processes.original_file_name=procdump)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_procdump"}, {"definition": "(Processes.process_name=regsvcs.exe OR Processes.original_file_name=RegSvcs.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_regsvcs"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_findstr_gpp_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_protocol_impersonation_weak_encryption_configuration_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_wevtutil_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_defender_asr_block_events_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_preload_hijack_library_calls_filter"}, {"definition": "sourcetype=\"Pwsh:InstalledIISModules\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "iis_get_webglobalmodule"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_proxy_socks_curl_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_uac_remote_restriction_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "recursive_delete_of_directory_in_batch_cmd_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_aduser_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_uac_bypass_suspicious_child_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_add_module_to_global_assembly_cache_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_disableremotedesktopantialias_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "local_account_discovery_with_wmic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_addefaultdomainpasswordpolicy_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_foresttrust_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_tenant_wide_admin_consent_granted_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_privileged_role_assigned_to_service_principal_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_installutil_url_in_command_line_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_wmiobject_group_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "execute_javascript_with_jscript_com_clsid_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_outbound_ldap_traffic_filter"}, {"definition": "(Processes.process_name=bitsadmin.exe OR Processes.original_file_name=bitsadmin.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_bitsadmin"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_provisioning_activity_from_previously_unseen_city_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_detect_role_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "web_jsp_request_via_url_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "elevated_group_discovery_with_wmic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_composer_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "log4shell_jndi_payload_injection_attempt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_reflected_xss_in_the_templates_lists_radio_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wermgr_process_connecting_to_ip_check_web_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ingress_tool_transfer_using_explorer_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_disable_lock_workstation_feature_through_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_kubernetes_cluster_pod_scan_detection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_mshta_inline_hta_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_excessive_security_scanning_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_shell_running_on_worker_node_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_certify_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_wmi_event_subscription_persistence_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_microsoft_workflow_compiler_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_indicator_removal_clear_cache_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_possible_ssh_key_file_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_automation_runbook_created_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defenses_disable_hvci_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "network_connection_discovery_with_netstat_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_remote_access_software_rms_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getdomaincomputer_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_sql_spawning_certutil_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_high_frequency_of_file_deletion_in_boot_folder_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_defender_asr_audit_events_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_process_instantiation_via_dcom_and_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_azurehound_file_modifications_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_successful_single_factor_authentication_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "abnormally_high_aws_instances_launched_by_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "spoolsv_suspicious_process_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_compute_instance_created_with_previously_unseen_instance_type_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "create_local_admin_accounts_using_net_exe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "user_discovery_with_env_vars_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "credential_dumping_via_copy_command_from_shadow_copy_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_process_file_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "multiple_archive_files_http_post_traffic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_steal_authentication_certificates___esc1_abuse_filter"}, {"definition": "eval orig_process=process, process=replace(lower(process), \"`\", \"\") | makemv tokenizer=\"([\\w\\d\\-]+)\" process | eval unusual_cmdline_feature_for=if(match(process, \"^for$\"), mvcount(mvfilter(match(process, \"^for$\"))), 0), unusual_cmdline_feature_netsh=if(match(process, \"^netsh$\"), mvcount(mvfilter(match(process, \"^netsh$\"))), 0), unusual_cmdline_feature_readbytes=if(match(process, \"^readbytes$\"), mvcount(mvfilter(match(process, \"^readbytes$\"))), 0), unusual_cmdline_feature_set=if(match(process, \"^set$\"), mvcount(mvfilter(match(process, \"^set$\"))), 0), unusual_cmdline_feature_unrestricted=if(match(process, \"^unrestricted$\"), mvcount(mvfilter(match(process, \"^unrestricted$\"))), 0), unusual_cmdline_feature_winstations=if(match(process, \"^winstations$\"), mvcount(mvfilter(match(process, \"^winstations$\"))), 0), unusual_cmdline_feature_-value=if(match(process, \"^-value$\"), mvcount(mvfilter(match(process, \"^-value$\"))), 0), unusual_cmdline_feature_compression=if(match(process, \"^compression$\"), mvcount(mvfilter(match(process, \"^compression$\"))), 0), unusual_cmdline_feature_server=if(match(process, \"^server$\"), mvcount(mvfilter(match(process, \"^server$\"))), 0), unusual_cmdline_feature_set-mppreference=if(match(process, \"^set-mppreference$\"), mvcount(mvfilter(match(process, \"^set-mppreference$\"))), 0), unusual_cmdline_feature_terminal=if(match(process, \"^terminal$\"), mvcount(mvfilter(match(process, \"^terminal$\"))), 0), unusual_cmdline_feature_-name=if(match(process, \"^-name$\"), mvcount(mvfilter(match(process, \"^-name$\"))), 0), unusual_cmdline_feature_catch=if(match(process, \"^catch$\"), mvcount(mvfilter(match(process, \"^catch$\"))), 0), unusual_cmdline_feature_get-wmiobject=if(match(process, \"^get-wmiobject$\"), mvcount(mvfilter(match(process, \"^get-wmiobject$\"))), 0), unusual_cmdline_feature_hklm=if(match(process, \"^hklm$\"), mvcount(mvfilter(match(process, \"^hklm$\"))), 0), unusual_cmdline_feature_streamreader=if(match(process, \"^streamreader$\"), mvcount(mvfilter(match(process, \"^streamreader$\"))), 0), unusual_cmdline_feature_system32=if(match(process, \"^system32$\"), mvcount(mvfilter(match(process, \"^system32$\"))), 0), unusual_cmdline_feature_username=if(match(process, \"^username$\"), mvcount(mvfilter(match(process, \"^username$\"))), 0), unusual_cmdline_feature_webrequest=if(match(process, \"^webrequest$\"), mvcount(mvfilter(match(process, \"^webrequest$\"))), 0), unusual_cmdline_feature_count=if(match(process, \"^count$\"), mvcount(mvfilter(match(process, \"^count$\"))), 0), unusual_cmdline_feature_webclient=if(match(process, \"^webclient$\"), mvcount(mvfilter(match(process, \"^webclient$\"))), 0), unusual_cmdline_feature_writeallbytes=if(match(process, \"^writeallbytes$\"), mvcount(mvfilter(match(process, \"^writeallbytes$\"))), 0), unusual_cmdline_feature_convert=if(match(process, \"^convert$\"), mvcount(mvfilter(match(process, \"^convert$\"))), 0), unusual_cmdline_feature_create=if(match(process, \"^create$\"), mvcount(mvfilter(match(process, \"^create$\"))), 0), unusual_cmdline_feature_function=if(match(process, \"^function$\"), mvcount(mvfilter(match(process, \"^function$\"))), 0), unusual_cmdline_feature_net=if(match(process, \"^net$\"), mvcount(mvfilter(match(process, \"^net$\"))), 0), unusual_cmdline_feature_com=if(match(process, \"^com$\"), mvcount(mvfilter(match(process, \"^com$\"))), 0), unusual_cmdline_feature_http=if(match(process, \"^http$\"), mvcount(mvfilter(match(process, \"^http$\"))), 0), unusual_cmdline_feature_io=if(match(process, \"^io$\"), mvcount(mvfilter(match(process, \"^io$\"))), 0), unusual_cmdline_feature_system=if(match(process, \"^system$\"), mvcount(mvfilter(match(process, \"^system$\"))), 0), unusual_cmdline_feature_new-object=if(match(process, \"^new-object$\"), mvcount(mvfilter(match(process, \"^new-object$\"))), 0), unusual_cmdline_feature_if=if(match(process, \"^if$\"), mvcount(mvfilter(match(process, \"^if$\"))), 0), unusual_cmdline_feature_threading=if(match(process, \"^threading$\"), mvcount(mvfilter(match(process, \"^threading$\"))), 0), unusual_cmdline_feature_mutex=if(match(process, \"^mutex$\"), mvcount(mvfilter(match(process, \"^mutex$\"))), 0), unusual_cmdline_feature_cryptography=if(match(process, \"^cryptography$\"), mvcount(mvfilter(match(process, \"^cryptography$\"))), 0), unusual_cmdline_feature_computehash=if(match(process, \"^computehash$\"), mvcount(mvfilter(match(process, \"^computehash$\"))), 0)", "description": "Performs the tokenization and application of the malicious commandline classifier", "name": "potentially_malicious_code_on_cmdline_tokenize_score"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "single_letter_process_on_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_ecr_container_upload_outside_business_hours_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_plistbuddy_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_plistbuddy_usage_via_osquery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_ingress_tool_transfer_hunting_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_scanner_image_pulling_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_risky_spl_using_pretrained_ml_model_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_domain_account_discovery_via_get_netcomputer_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_domain_enumeration_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_account_lockout_events_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "first_time_seen_command_line_argument_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gsuite_suspicious_calendar_invite_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_html_help_renamed_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_c89_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_binary_proxy_execution_mavinject_dll_injection_filter"}, {"definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "aws_cloudwatchlogs_eks"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "tor_traffic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unusual_count_of_users_failed_to_auth_using_kerberos_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_detect_high_risk_permissions_by_resource_and_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_windbg_spawning_autoit3_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "prohibited_software_on_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_java_spawning_shell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_rundll32_apply_user_settings_changes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_script_block_with_url_chain_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_cab_file_on_disk_filter"}, {"definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_net"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_firewall_with_netsh_filter"}, {"definition": "lookup update=true lookup_uncommon_processes_default process_name as process_name outputnew uncommon_default,category_default,analytic_story_default,kill_chain_phase_default,mitre_attack_default | lookup update=true  lookup_uncommon_processes_local process_name as process_name outputnew uncommon_local,category_local,analytic_story_local,kill_chain_phase_local,mitre_attack_local | eval uncommon = coalesce(uncommon_default, uncommon_local), analytic_story = coalesce(analytic_story_default, analytic_story_local), category=coalesce(category_default, category_local), kill_chain_phase=coalesce(kill_chain_phase_default, kill_chain_phase_local), mitre_attack=coalesce(mitre_attack_default, mitre_attack_local) | fields - analytic_story_default, analytic_story_local, category_default, category_local, kill_chain_phase_default, kill_chain_phase_local, mitre_attack_default, mitre_attack_local, uncommon_default, uncommon_local | search uncommon=true", "description": "This macro limits the output to processes that have been marked as uncommon", "name": "uncommon_processes"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_load_module_in_meterpreter_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_sharphound_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_two_or_more_rejected_okta_pushes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_rasautou_dll_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_command_shell_dcrat_forkbomb_payload_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_process_injection_wermgr_child_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_identify_protocol_handlers_filter"}, {"definition": "(Processes.process_name=schtasks.exe OR Processes.original_file_name=schtasks.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_schtasks"}, {"definition": "(Processes.process_name=microsoft.workflow.compiler.exe OR Processes.original_file_name=Microsoft.Workflow.Compiler.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_microsoftworkflowcompiler"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "vbscript_execution_using_wscript_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "protocols_passing_authentication_in_cleartext_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "high_frequency_copy_of_files_in_network_share_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "dns_query_length_with_high_standard_deviation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "uac_bypass_mmc_load_unsigned_dll_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_es_dos_investigations_manager_via_investigation_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_foresttrust_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "schtasks_scheduling_job_on_remote_system_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "correlation_by_repository_and_risk_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gsuite_suspicious_shared_file_name_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_detect_gcploit_framework_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_amsi_through_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ms_scripting_process_loading_ldap_module_filter"}, {"definition": "sourcetype=circleci", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "circleci"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_detect_oauth_token_abuse_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_dsrm_password_reset_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_deny_security_software_with_applocker_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_system_discovery_with_net_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "mshtml_module_load_in_office_product_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "malicious_inprocserver32_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_regsvr32_register_suspicious_path_filter"}, {"definition": "(Processes.process_name=cmd.exe OR Processes.process_name=powershell.exe OR Processes.process_name=pwsh.exe OR Processes.process_name=sh.exe OR Processes.process_name=bash.exe OR Processes.process_name=wscript.exe OR Processes.process_name=cscript.exe)", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "windows_shells"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "mmc_lolbas_execution_process_spawn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_dos_via_printf_search_function_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wmic_noninteractive_app_uninstallation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_node_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "web_spring4shell_http_request_class_module_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_auto_update_notif_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_admon_default_group_policy_object_modified_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "smb_traffic_spike_filter"}, {"definition": "source=ActiveDirectory", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "admon"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "change_to_safe_mode_with_network_config_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_command_and_scripting_interpreter_risky_commands_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_masquerading_msdtc_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_process_instantiation_via_winrm_and_winrs_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "protocol_or_port_mismatch_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_setuid_using_chmod_utility_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_new_user_aws_console_login_filter"}, {"definition": "(query=login* AND query=www*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as Office 365", "name": "evilginx_phishlets_0365"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_addefaultdomainpasswordpolicy_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_executable_in_loaded_modules_filter"}, {"definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "wineventlog_security"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "overwriting_accessibility_binaries_filter"}, {"definition": "(query=fls-na* AND query = www* AND query=images*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as Amazon", "name": "evilginx_phishlets_amazon"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_persistence_and_privilege_escalation_risk_behavior_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_iam_assume_role_policy_brute_force_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_hide_notification_features_through_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_computer_account_created_by_computer_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "fortinet_appliance_auth_bypass_filter"}, {"definition": "sourcetype=\"netbackup_logs\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "netbackup"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "execution_of_file_with_spaces_before_extension_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_process_dns_query_known_abuse_web_services_filter"}, {"definition": "sourcetype=aws:asl", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "amazon_security_lake"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "amazon_eks_kubernetes_cluster_scan_detection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "spike_in_file_writes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rundll32_lockworkstation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_parent_pid_spoofing_with_explorer_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "web_fraud___password_sharing_across_accounts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_disable_win_defender_raw_write_notif_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_possible_access_to_sudoers_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_app_for_lookup_file_editing_rce_via_user_xslt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_global_administrator_role_assigned_filter"}, {"definition": "\"-70m@m\"", "description": "Use this macro to determine how far back you should be checking for new provisioning activities", "name": "previously_unseen_cloud_provisioning_activity_window"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "secretdumps_offline_ntds_dumping_tool_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_java_spawning_shells_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_application_drop_executable_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_concurrent_sessions_from_different_ips_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_4104_hunting_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_change_file_owner_to_root_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "check_elevated_cmd_using_whoami_filter"}, {"definition": "sourcetype=\"wineventlog:microsoft-windows-wmi-activity/operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "wmi"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getwmiobject_ds_group_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_deletion_of_ssl_certificate_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_detect_sts_assume_role_abuse_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "high_process_termination_frequency_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_ssh_remote_services_script_execute_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_possible_cronjob_modification_with_editor_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_credentials_from_password_stores_chrome_localstate_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_port_security_violation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_exfiltration_via_bucket_replication_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "short_lived_windows_accounts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_iis_components_webglobalmodule_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_abuse_of_secret_by_unusual_user_group_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_system_discovery_with_wmic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_suspicious_rights_delegation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cmlua_or_cmstplua_uac_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_at_application_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_desktop_network_traffic_filter"}, {"definition": "(Processes.process_name=dllhost.exe OR Processes.original_file_name=dllhost.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_dllhost"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "processes_created_by_netsh_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_high_frequency_of_file_deletion_in_etc_folder_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_multi_source_failed_authentications_spike_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_previously_unseen_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_insert_kernel_module_using_insmod_utility_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_maxconnectionperserver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_iam_accessdenied_discovery_events_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_moveit_transfer_writing_aspx_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ec2_instance_started_in_previously_unseen_region_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_low_privilege_user_can_view_hashed_splunk_password_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "w3wp_spawning_shell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gpupdate_with_no_command_line_arguments_with_network_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_task_manager_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_defender_asr_rules_stacking_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_process_running_from_new_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getadcomputer_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "vmware_workspace_one_freemarker_server_side_template_injection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_shell_running_on_worker_node_with_cpu_activity_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "account_discovery_with_net_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_defender_asr_rule_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_abused_web_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "clients_connecting_to_multiple_dns_servers_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "randomly_generated_windows_service_name_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_remote_access_software_brc4_loaded_dll_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "certutil_exe_certificate_extraction_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_defender_blockatfirstseen_feature_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_gcp_detect_service_accounts_forbidden_failure_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powerview_ad_access_control_list_enumeration_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "mshta_spawning_rundll32_or_regsvr32_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wsreset_uac_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_disable_bucket_versioning_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_sqlite3_lsquarantine_behavior_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_admin_permission_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_kerberos_local_successful_logon_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_schedule_task_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_empire_with_powershell_script_block_logging_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_defender_spynet_reporting_filter"}, {"definition": "lookup ransomware_notes_lookup ransomware_notes as file_name OUTPUT status as \"Known Ransomware Notes\" | search \"Known Ransomware Notes\"=True", "description": "This macro limits the output to files that have been identified as a ransomware note", "name": "ransomware_notes"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "java_writing_jsp_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "winrar_spawning_shell_application_filter"}, {"definition": "source=\"wineventlog:microsoft-windows-printservice/operational\" OR source=\"WinEventLog:Microsoft-Windows-PrintService/Admin\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "printservice"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_user_enumeration_attempt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_vulnerable_3cx_software_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_wmi_command_attempt_filter"}, {"definition": "(Processes.process_name=diskshadow.exe OR Processes.original_file_name=diskshadow.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_diskshadow"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "github_pull_request_from_unknown_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "winevent_scheduled_task_created_to_spawn_shell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_tamper_protection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_user_immutableid_attribute_updated_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_rundll32_rename_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_domain_controller_promotion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_process_instantiation_via_winrm_and_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "msbuild_suspicious_spawned_by_script_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_outlook_exe_writing_a_zip_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_dns_gather_network_info_filter"}, {"definition": "index=zeek sourcetype=\"zeek:rpc:json\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "zeek_rpc"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_defense_evasion_delete_cloudwatch_log_group_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "prevent_automatic_repair_mode_using_bcdedit_filter"}, {"definition": "(query=www* AND query=aws* AND query=console.aws* AND query=signin.aws* AND api-northeast-1.console.aws* AND query=fls-na* AND query=images-na*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as an AWS console", "name": "evilginx_phishlets_aws"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_defense_evasion_delete_cloudwatch_log_group_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "dns_exfiltration_using_nslookup_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_indirect_command_execution_via_series_of_forfiles_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "spectre_and_meltdown_vulnerable_systems_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "dump_lsass_via_comsvcs_dll_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_threatinsight_suspected_passwordspray_attack_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "registry_keys_used_for_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_gnu_awk_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_gcp_detect_suspicious_kubectl_calls_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_account_discovery_with_netuser_preauthnotrequire_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "identify_new_user_accounts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_sqlite3_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "allow_operation_with_consent_admin_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_archive_collected_data_via_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_ssh_authorized_keys_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_block_user_consent_for_risky_apps_disabled_filter"}, {"definition": "(eventName=AuthorizeSecurityGroupIngress OR eventName=CreateSecurityGroup OR eventName=DeleteSecurityGroup OR eventName=DescribeClusterSecurityGroups OR eventName=DescribeDBSecurityGroups OR eventName=DescribeSecurityGroupReferences OR eventName=DescribeSecurityGroups OR eventName=DescribeStaleSecurityGroups OR eventName=RevokeSecurityGroupIngress OR eventName=UpdateSecurityGroupRuleDescriptionsIngress)", "description": "This macro is a list of AWS event names associated with security groups", "name": "security_group_api_calls"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_privileged_authentication_administrator_role_assigned_filter"}, {"definition": "(source=XmlWinEventLog:Microsoft-Windows-CAPI2/Operational)", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "capi2_operational"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_diskshadow_proxy_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "hunting_for_log4shell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_protocol_tunneling_with_plink_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "enumerate_users_local_group_using_telegram_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_execute_com_object_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rundll32_create_remote_thread_to_a_process_filter"}, {"definition": "sourcetype=kube:objects:events", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "kube_objects_events"}, {"definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "o365_management_activity"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_aws_console_login_by_user_from_new_country_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_disabling_wer_settings_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_multi_factor_authentication_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_aws_api_activities_from_unapproved_accounts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_bypass_uac_via_pkgmgr_tool_filter"}, {"definition": "source=\"WinEventLog:Microsoft-Windows-TaskScheduler/Operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "wineventlog_task_scheduler"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_user_logins_from_multiple_cities_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "impacket_lateral_movement_commandline_parameters_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_c99_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "any_powershell_downloadfile_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_steal_authentication_certificates_export_pfxcertificate_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_mimikatz_binary_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_lambda_updatefunctioncode_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_dns_data_exfiltration_using_pretrained_model_in_dsdl_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_raccine_scheduled_task_deletion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_papercut_ng_spawn_shell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "domain_group_discovery_with_dsquery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_remote_services_allow_remote_assistance_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "log4shell_jndi_payload_injection_with_outbound_connection_filter"}, {"definition": "(Processes.process_name=installutil.exe OR Processes.original_file_name=InstallUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_installutil"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rundll32_createremotethread_in_browser_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_registry_delete_task_sd_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "process_execution_via_wmi_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_createaccesskey_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_common_process_for_elevation_control_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_access_token_manipulation_winlogon_duplicate_token_handle_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "microsoft_sharepoint_server_elevation_of_privilege_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_openvpn_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_awk_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_alternate_datastream___base64_content_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_registry_certificate_added_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_domainpolicy_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "schtasks_run_task_on_demand_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_baron_samedit_cve_2021_3156_segfault_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_excessive_sso_logon_errors_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_sudoers_tmp_file_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_possible_append_cronjob_entry_on_existing_cronjob_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "non_chrome_process_accessing_chrome_default_dir_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_baron_samedit_cve_2021_3156_via_osquery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_image_creation_in_appdata_folder_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "papercut_ng_remote_web_access_attempt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_user_consent_blocked_for_risky_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_privileged_account_sid_history_addition_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "domain_group_discovery_with_adsisearcher_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_logoff_commandline_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multiple_invalid_users_failed_to_authenticate_using_ntlm_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ms_scripting_process_loading_wmi_module_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_windows_defender_exclusion_commands_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "first_time_seen_child_process_of_zoom_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_fileless_process_injection_via_getprocaddress_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_device_code_authentication_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "sam_database_file_access_attempt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_get_ciminstance_remote_computer_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_steal_authentication_certificates_certutil_backup_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "spoolsv_writing_a_dll___sysmon_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_rundll32_application_control_bypass___syssetup_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_cloud_provisioning_from_previously_unseen_region_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_domain_controller_audit_policy_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "icacls_grant_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "chcp_command_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_emacs_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_renamed_psexec_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_detect_accounts_with_high_risk_roles_by_project_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_user_consent_denied_for_oauth_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_changes_to_file_associations_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_setdefaultpolicyversion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_azure_detect_service_accounts_forbidden_failure_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_possible_credential_dumping_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35078_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_doas_conf_file_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "spoolsv_writing_a_dll_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "sqlite_module_in_temp_folder_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_aduser_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_network_config_discovery_display_dns_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_defense_evasion_delete_cloudtrail_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "winrm_spawning_a_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rundll32_shimcache_flush_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_shutdown_commandline_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_disable_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_sip_winverifytrust_failed_trust_validation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_processes_used_for_system_network_configuration_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gsuite_email_suspicious_subject_with_attachment_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_disable_security_monitoring_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "scheduled_task_initiation_on_remote_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_unusual_number_of_failed_authentications_from_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_disable_http_logging_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_query_registry_reg_save_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "add_or_set_windows_defender_exclusion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getdomaincontroller_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "schedule_task_with_rundll32_command_trigger_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "spoolsv_suspicious_loaded_modules_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_replication_request_initiated_by_user_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "persistent_xss_in_rapiddiag_through_user_interface_views_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_rundll32_no_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_process_with_namedpipe_commandline_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_regsvr32_renamed_binary_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_aws_console_login_by_user_from_new_region_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_cloud_provisioning_from_previously_unseen_country_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_suspicious_admin_email_forwarding_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_outbound_smb_traffic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "high_number_of_login_failures_from_a_single_source_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "malicious_powershell_process___execution_policy_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multiple_users_failed_to_authenticate_from_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_stdout_redirection_to_dev_null_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_scheduled_task_with_highest_privileges_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_account_locked_out_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "osquery_pack___coldroot_detection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getlocaluser_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "pingid_new_mfa_method_after_credential_reset_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_dga_domains_using_pretrained_model_in_dsdl_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_kernel_module_enumeration_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "revil_registry_entry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_xss_via_view_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_domain_replication_acl_addition_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_hidden_schedule_task_settings_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_concurrent_sessions_from_different_ips_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_iis_components_module_failed_to_load_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "esentutl_sam_copy_filter"}, {"definition": "sourcetype=PwSh:DriverInventory", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "driverinventory"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_phishing_recent_iso_exec_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "malicious_powershell_executed_as_a_service_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "domain_controller_discovery_with_wmic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "dns_record_changed_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_shred_overwrite_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_email_attachment_extensions_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_mimikatz_crypto_export_file_extensions_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_service_restarted_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_clipboard_data_copy_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_curl_network_connection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "network_connection_discovery_with_net_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "deleting_shadow_copies_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_disable_shutdown_button_through_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "web_remote_shellservlet_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_remote_thread_to_known_windows_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_failed_sso_attempts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "email_servers_sending_high_volume_traffic_to_hosts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "print_spooler_adding_a_printer_driver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "adobe_coldfusion_unauthenticated_arbitrary_file_read_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_rundll32_inline_hta_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_es_dos_through_investigation_attachments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_multiple_users_failing_to_authenticate_from_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getlocaluser_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_cloud_provisioning_from_previously_unseen_ip_address_filter"}, {"definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "splunkd_web"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rundll32_control_rundll_world_writable_directory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "open_redirect_in_splunk_web_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_show_hidden_files_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_new_custom_domain_added_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "schcache_change_by_app_connect_and_create_adsi_object_filter"}, {"definition": "eventtype=okta_log", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "okta"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_server_software_component_gacutil_install_to_gac_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kerberos_user_enumeration_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_gdb_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_invoke_cimmethod_cimsession_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "dump_lsass_via_procdump_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_msexchange_management_mailbox_cmdlet_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_html_help_url_in_command_line_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "multiple_okta_users_with_invalid_credentials_from_the_same_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_iam_delete_policy_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "credential_dumping_via_symlink_to_shadow_copy_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_console_login_failed_during_mfa_challenge_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_ticket_granting_ticket_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "loading_of_dynwrapx_module_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wmic_xsl_execution_via_url_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "active_directory_lateral_movement_identified_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_list_all_nonstandard_admin_accounts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "living_off_the_land_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "plain_http_post_exfiltrated_data_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_digital_certificates_infrastructure_version_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_file_without_extension_in_critical_folder_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_automation_account_created_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_usage_of_sc_service_utility_filter"}, {"definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_powershell"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "active_setup_registry_autostart_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multiple_invalid_users_fail_to_authenticate_using_kerberos_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_ipv6_network_infrastructure_threats_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_mshta_renamed_filter"}, {"definition": "lookup update=true dynamic_dns_providers_default dynamic_dns_domains as url OUTPUTNEW isDynDNS_default | lookup update=true dynamic_dns_providers_local dynamic_dns_domains as url OUTPUTNEW isDynDNS_local| eval isDynDNS = coalesce(isDynDNS_default, isDynDNS_local)|fields - isDynDNS_default, isDynDNS_local| search isDynDNS=True", "description": "This is a description", "name": "dynamic_dns_web_traffic"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_puppet_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_computer_changed_with_anonymous_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_dll_search_order_hijacking_hunt_with_sysmon_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_psexec_with_accepteula_flag_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "amazon_eks_kubernetes_pod_scan_detection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powerview_constrained_delegation_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_data_exfiltration_from_analytics_workspace_using_sid_query_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_password_managers_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_same_domain_sid_history_addition_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_credential_access_getpassworddata_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_azure_detect_rbac_authorization_by_account_filter"}, {"definition": "index=_audit \"action=login attempt\" \"info=failed\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "splunkd_failed_auths"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_windows_dns_sigred_via_zeek_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_mailbox_inbox_folder_shared_with_all_users_filter"}, {"definition": "(source=XmlWinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational OR source=XmlWinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational)", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "certificateservices_lifecycle"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_dos_using_malformed_saml_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excel_spawning_windows_script_host_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "bcdedit_failure_recovery_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_ecr_container_scanning_findings_low_informational_unknown_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_credentials_from_password_stores_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_remote_access_software_hunt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "clop_common_exec_parameter_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_suspect_process_with_authentication_traffic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_new_mfa_method_registered_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_exfiltration_via_datasync_task_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_wmiobject_group_discovery_with_script_block_logging_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wscript_or_cscript_suspicious_child_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_stop_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_product_spawning_windows_script_host_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ryuk_wake_on_lan_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_disable_notification_center_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_iam_delete_policy_filter"}, {"definition": "(Processes.process_name=hh.exe OR Processes.original_file_name=HH.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_hh"}, {"definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent.", "name": "kube_audit"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_possible_access_to_credential_files_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remcos_rat_file_creation_in_remcos_folder_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wermgr_process_create_executable_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_steal_authentication_certificates_cryptoapi_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_administrative_shares_accessed_on_multiple_hosts_filter"}, {"definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "cloudtrail"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_defender_mpengine_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_azure_scan_fingerprint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_loading_dotnet_into_memory_via_reflection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getadcomputer_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "potential_password_in_username_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_msiexec_with_network_connections_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "citrix_sharefile_exploitation_cve_2023_24489_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_dd_file_overwrite_filter"}, {"definition": "source=\"WinEventLog:Microsoft-Windows-Windows Defender/Operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "ms_defender"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "creation_of_shadow_copy_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_remote_create_service_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_multi_factor_authentication_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_azure_active_service_accounts_by_pod_namespace_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "processes_tapping_keyboard_events_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_number_of_taskhost_processes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_provisioning_activity_from_previously_unseen_country_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_disable_restricted_admin_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_domainuser_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "short_lived_scheduled_task_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wmi_temporary_event_subscription_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_desktop_process_running_on_system_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_deletion_of_cron_jobs_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_multiple_denied_mfa_requests_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remcos_client_registry_install_entry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_disallow_windows_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_kworker_process_in_writable_process_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_proxy_via_registry_filter"}, {"definition": "(Processes.process_name=curl.exe OR Processes.original_file_name=Curl.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_curl"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_new_mfa_method_registered_for_user_filter"}, {"definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "azure_monitor_aad"}, {"definition": "sourcetype=o365:graph:api", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "o365_graph"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_phishing_pdf_file_executes_url_link_filter"}, {"definition": "| inputlookup prohibited_apps_launching_cmd | rename prohibited_applications as parent_process_name | eval parent_process_name=\"*\" . parent_process_name | table parent_process_name", "description": "This macro outputs a list of process that should not be the parent process of cmd.exe", "name": "prohibited_apps_launching_cmd"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_odbcconf_load_response_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_distinct_processes_from_windows_temp_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unsuccessful_netbackup_backups_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gsuite_drive_share_in_external_email_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_rundll32_application_control_bypass___setupapi_filter"}, {"definition": "lookup update=true dynamic_dns_providers_default dynamic_dns_domains as query OUTPUTNEW isDynDNS_default | lookup update=true dynamic_dns_providers_local dynamic_dns_domains as query OUTPUTNEW isDynDNS_local| eval isDynDNS = coalesce(isDynDNS_default, isDynDNS_local)|fields - isDynDNS_default, isDynDNS_local| search isDynDNS=True", "description": "This macro limits the output of the query field to dynamic dns domains. It looks up the domains in a file provided by Splunk and one intended to be updated by the end user.", "name": "dynamic_dns_providers"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_rogue_domain_controller_network_activity_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_defender_submit_samples_consent_feature_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "user_discovery_with_env_vars_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "allow_network_discovery_in_firewall_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "f5_tmui_authentication_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kerberos_service_ticket_request_using_rc4_encryption_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_msiexec_unregister_dllregisterserver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_query_registry_uninstall_program_list_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "fodhelper_uac_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getnettcpconnection_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "monitor_registry_keys_for_print_monitors_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rundll_loading_dll_by_ordinal_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_system_reboot_via_system_request_key_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_authentication_failed_during_mfa_challenge_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rundll32_dnsquery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_tenant_wide_admin_consent_granted_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_scheduletask_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_arp_poisoning_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_sharphound_file_modifications_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_reg_exe_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_dism_remove_defender_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "confluence_unauthenticated_remote_code_execution_cve_2022_26134_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_credentials_from_password_stores_query_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "enable_wdigest_uselogoncredential_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_disable_windows_event_logging_disable_http_logging_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_invoke_wmiexec_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_krbrelayup_service_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_windows_local_security_authority_defences_via_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "icacls_deny_command_filter"}, {"definition": "lookup update=true is_suspicious_file_extension_lookup file_name OUTPUT suspicious | search suspicious=true", "description": "This macro limits the output to email attachments that have suspicious extensions", "name": "suspicious_email_attachments"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_new_open_s3_buckets_over_aws_cli_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_compute_instance_created_by_previously_unseen_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_decode_base64_to_shell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_account_discovery_for_none_disable_user_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_installutil_uninstall_option_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "hunting_3cxdesktopapp_software_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_app_layer_protocol_qakbot_namedpipe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_terminating_lsass_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_script_proxy_execution_syncappvpublishingserver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_common_abused_cmd_shell_risk_behavior_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getnettcpconnection_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_hijack_execution_flow_version_dll_side_load_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "scheduled_task_creation_on_remote_endpoint_using_at_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "delete_shadowcopy_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_rtlo_in_file_name_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_application_spawn_regsvr32_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_regsvr32_application_control_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "monitor_web_traffic_for_brand_abuse_filter"}, {"definition": "(Processes.process_name=certutil.exe OR Processes.original_file_name=CertUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_certutil"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_rdp_connection_successful_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_absolute_path_traversal_using_runshellscript_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "juniper_networks_remote_code_execution_exploit_detection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rubeus_command_line_parameters_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_mfa_exhaustion_hunt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_usage_of_taskkill_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_zerologon_via_zeek_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_detect_users_with_kms_keys_performing_encryption_s3_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_registry_payload_injection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "uninstall_app_using_msiexec_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ngrok_reverse_proxy_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_replication_request_initiated_from_unsanctioned_location_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kerberos_pre_authentication_flag_disabled_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_odbcconf_load_dll_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multiple_users_fail_to_authenticate_wth_explicitcredentials_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "svchost_lolbas_execution_process_spawn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_file_write_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "system_user_discovery_with_whoami_filter"}, {"definition": "(Processes.process_name=setspn.exe OR Processes.original_file_name=setspn.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_setspn"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "system_info_gathering_using_dxdiag_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_defacement_modify_transcodedwallpaper_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_root_domain_linked_policies_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_new_device_enrolled_on_account_filter"}, {"definition": "(Processes.process_name=psexec.exe OR Processes.process_name=psexec64.exe OR Processes.original_file_name=psexec.c)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_psexec"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "anomalous_usage_of_7zip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_baron_samedit_cve_2021_3156_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getwmiobject_ds_group_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "auto_admin_logon_registry_entry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ryuk_test_files_detected_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_rce_via_serialized_session_payload_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_iam_successful_group_deletion_filter"}, {"definition": "sourcetype=MSExchange:management", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "msexchange_management"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_with_md5_reg_key_name_filter"}, {"definition": "userName IN (user)", "description": "specify the user allowed to push Images to AWS ECR.", "name": "aws_ecr_users"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_export_certificate_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_enablelinkedconnections_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wget_download_and_bash_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unusual_count_of_users_failed_to_authenticate_from_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_create_sliverc2_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_default_group_policy_object_modified_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_archive_collected_data_via_rar_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_drivers_loaded_by_signature_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "etw_registry_disabled_filter"}, {"definition": "\"-70m@m\"", "description": "Use this macro to determine how far back you should be checking for new Windows services", "name": "previously_seen_windows_services_window"}, {"definition": "sourcetype=\"aws:securityhub:finding\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "aws_securityhub_finding"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_exfiltration_over_c2_via_powershell_uploadstring_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rundll32_control_rundll_hunt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_user_privilege_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_gather_victim_host_information_camera_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_aws_detect_service_accounts_forbidden_failure_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_lsa_secrets_nolmhash_registry_filter"}, {"definition": "index=_internal sourcetype=splunkd_ui_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "path_traversal_spl_injection"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "curl_download_and_bash_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_successful_powershell_authentication_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "domain_controller_discovery_with_nltest_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_ecr_container_scanning_findings_medium_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_microsoft_workflow_compiler_rename_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_cross_domain_sid_history_addition_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_linked_policies_in_adsi_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_multi_source_failed_authentications_spike_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "winevent_scheduled_task_created_within_public_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getwmiobject_user_account_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "spoolsv_spawning_rundll32_filter"}, {"definition": "Country=\"United States\"", "description": "Define your locations which are allowed to connect to your kubernetes cluster.", "name": "kube_allowed_loactions"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_process_instantiation_via_winrm_and_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_java_classes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "winword_spawning_windows_script_host_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gsuite_outbound_email_with_attachment_to_external_domain_filter"}, {"definition": "(Processes.process_name=reg.exe OR Processes.original_file_name=reg.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_reg"}, {"definition": "(eventName=AssociateAddress OR eventName=AssociateIamInstanceProfile OR eventName=AttachClassicLinkVpc OR eventName=AttachNetworkInterface OR eventName=AttachVolume OR eventName=BundleInstance OR eventName=DetachClassicLinkVpc OR eventName=DetachVolume OR eventName=ModifyInstanceAttribute OR eventName=ModifyInstancePlacement OR eventName=MonitorInstances OR eventName=RebootInstances OR eventName=ResetInstanceAttribute OR eventName=StartInstances OR eventName=StopInstances OR eventName=TerminateInstances OR eventName=UnmonitorInstances)", "description": "This is a list of AWS event names that have to do with modifying Amazon EC2 instances", "name": "ec2_modification_api_calls"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "clop_ransomware_known_service_name_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_event_log_service_behavior_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "uncommon_processes_on_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "web_fraud___anomalous_user_clickspeed_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "spring4shell_payload_url_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ec2_instance_modified_with_previously_unseen_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_new_api_token_created_filter"}, {"definition": "(Processes.process_name=sdelete.exe OR Processes.original_file_name=sdelete.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_sdelete"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_dll_search_order_hijacking_hunt_filter"}, {"definition": "lookup update=true is_net_windows_file filename as process_name OUTPUT netFile | lookup update=true is_net_windows_file originalFileName as original_file_name OUTPUT netFile | search netFile=true", "description": "This macro limits the output to process names that are .net binaries on Windows Server 2016 and Windows 11.", "name": "is_net_windows_file"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_event_log_cleared_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_user_consent_denied_for_oauth_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "exploit_public_facing_fortinet_fortinac_cve_2022_39952_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unsigned_dll_side_loading_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_spike_in_blocked_outbound_traffic_from_your_aws_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell___connect_to_internet_with_hidden_window_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_discovery_using_ldap_nslookup_filter"}, {"definition": "eventtype=cisco_ios", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "cisco_networks"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "print_processor_registry_autostart_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_detect_permanent_key_creation_filter"}, {"definition": "(query=api* AND query = github*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as GitHub", "name": "evilginx_phishlets_github"}, {"definition": "sourcetype=osquery:results", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "osquery"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_ecr_container_upload_unknown_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_azure_pod_scan_fingerprint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_iso_lnk_file_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "any_powershell_downloadstring_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_msiexec_dllregisterserver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_adding_crontab_using_list_parameter_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "msmpeng_application_dll_side_loading_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_scheduled_task_service_spawned_shell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_process_injection_remote_thread_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_schtasks_create_run_as_system_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "uac_bypass_with_colorui_com_object_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_dos_via_dump_spl_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_wav_file_in_appdata_folder_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "email_files_written_outside_of_the_outlook_directory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "sunburst_correlation_dll_and_network_event_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_odbcconf_hunting_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "permission_modification_using_takeown_app_filter"}, {"definition": "index=_audit sourcetype=audittrail", "description": "Macro to enable easy searching of audittrail logs", "name": "audittrail"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_anomalous_inbound_to_outbound_network_io_ratio_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "email_attachments_with_lots_of_spaces_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_createaccesskey_filter"}, {"definition": "index=_internal sourcetype=splunk_python", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "splunk_python"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "web_fraud___account_harvesting_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "registry_keys_used_for_persistence_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "winword_spawning_cmd_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "malicious_powershell_process___encoded_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "first_time_seen_running_windows_service_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_enterprise_information_disclosure_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_export_pfxcertificate_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "modification_of_wallpaper_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_html_help_spawn_child_process_filter"}, {"definition": "lookup suspicious_writes_lookup file as file_name OUTPUT note as \"Reference\" | search \"Reference\" != False", "description": "This macro limites the output to file names that have been marked as suspicious", "name": "suspicious_writes"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_block_user_consent_for_risky_apps_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_possible_access_or_modification_of_sshd_config_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_cross_account_activity_from_previously_unseen_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_usage_of_nslookup_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_disable_windefender_notifications_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_spike_in_aws_security_hub_alerts_for_ec2_instance_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "scheduled_task_deleted_or_created_via_cmd_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_copy_of_shadowcopy_with_script_block_logging_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_dllhost_no_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "creation_of_shadow_copy_with_wmic_and_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_icedid_rundll32_cmdline_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wmi_permanent_event_subscription_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_deletion_of_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "pingid_new_mfa_method_registered_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "process_creating_lnk_file_in_suspicious_location_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multiple_disabled_users_failed_to_authenticate_wth_kerberos_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_hardware_addition_swapoff_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_change_default_file_association_for_no_file_ext_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "certutil_download_with_verifyctl_and_split_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_curl_upload_to_remote_destination_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_high_file_deletion_frequency_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_high_privilege_role_granted_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_deleting_critical_directory_using_rm_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_get_local_admin_with_findlocaladminaccess_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "allow_inbound_traffic_in_firewall_rule_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_net_user_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_cpulimit_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_steal_authentication_certificates_certificate_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_new_api_calls_from_user_roles_filter"}, {"definition": "eventtype=\"osquery-process\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "osquery_process"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_file_creation_in_profile_directory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_high_number_of_failed_authentications_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_short_lived_server_object_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "process_writing_dynamicwrapperx_filter"}, {"definition": "sourcetype=stream:http", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "stream_http"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_large_number_of_computer_service_tickets_requested_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "possible_browser_pass_view_parameter_filter"}, {"definition": "userAgent=Helm/3.13.2", "description": "Define your user agents which are allowed to connect to your kubernetes cluster.", "name": "kube_allowed_user_agents"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rubeus_kerberos_ticket_exports_through_winlogon_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_system_discovery_with_dsquery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_defense_evasion_impair_security_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_risky_command_abuse_disclosed_february_2023_filter"}, {"definition": "(Processes.process_name=mshta.exe OR Processes.original_file_name=MSHTA.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_mshta"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_gather_victim_identity_sam_info_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "large_volume_of_dns_any_queries_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_show_compress_color_and_info_tip_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_defense_evasion_impair_security_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_spike_in_aws_api_activity_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "system_user_discovery_with_query_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_busybox_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_etw_through_registry_filter"}, {"definition": "sourcetype=aws:cloudwatchlogs:vpcflow", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "cloudwatchlogs_vpcflow"}, {"definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_cmd"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_replication_through_removable_media_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_document_spawned_child_process_to_download_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_traffic_mirroring_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_account_manipulation_of_ssh_config_and_keys_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_do_not_connect_to_win_update_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "monitor_email_for_brand_abuse_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ping_sleep_batch_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "dsquery_domain_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_protocol_impersonation_weak_encryption_simplerequest_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "macos___re_opened_applications_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_proxyenable_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_multiple_users_failing_to_authenticate_from_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_apt_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "screensaver_event_trigger_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "download_files_using_telegram_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_process_commandline_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_delete_or_modify_system_firewall_filter"}, {"definition": "sourcetype=gsuite:gmail:bigquery", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "gsuite_gmail"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_user_discovery_via_quser_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_multiple_failed_mfa_requests_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "creation_of_lsass_dump_with_taskmgr_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_msbuild_spawn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_wmi_win32_scheduledjob_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_searchprotocolhost_no_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_disablesecuritysettings_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_provisioning_activity_from_previously_unseen_ip_address_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_folderoptions_windows_feature_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_unauthorized_assets_by_mac_address_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_doas_tool_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_webrequest_using_memory_stream_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_product_spawning_wmic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_admon_group_policy_object_created_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_pkexec_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_mimikatz_with_powershell_script_block_logging_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "risk_rule_for_dev_sec_ops_by_repository_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_attempt_to_disable_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "recon_using_wmi_class_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "adobe_coldfusion_access_control_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_disableantispyware_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_initiation_on_remote_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_create_kernel_mode_driver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_network_access_control_list_deleted_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_credentials_from_password_stores_chrome_extension_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "deleting_of_net_users_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_forest_discovery_with_getforestdomain_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_csvtool_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_xss_in_highlighted_json_events_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_rpm_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_gcp_detect_sensitive_role_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_xss_in_save_table_dialog_header_in_search_page_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_mimikatz_using_loaded_images_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "network_discovery_using_route_windows_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_http_response_splitting_via_rest_spl_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "prohibited_network_traffic_allowed_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_code_injection_via_custom_dashboard_leading_to_rce_filter"}, {"definition": "(Processes.process_name IN (\"sh\", \"ksh\", \"zsh\", \"bash\", \"dash\", \"rbash\", \"fish\", \"csh\", \"tcsh\", \"ion\", \"eshell\"))", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "linux_shells"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "executable_file_written_in_administrative_smb_share_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_product_writing_cab_or_inf_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_norun_windows_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_setuid_using_setcap_utility_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_get_adcomputer_unconstrained_delegation_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_xss_in_monitoring_console_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_make_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_using_memory_as_backing_store_filter"}, {"definition": "user IN (user_names_here)", "description": "specify the user allowed to create PRs in Github projects.", "name": "github_known_users"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_unix_shell_enable_all_sysrq_functions_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_process_injection_into_notepad_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_csrf_in_the_ssg_kvstore_client_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_indirect_command_execution_via_pcalua_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_remotesigned_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getwmiobject_ds_computer_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "firewall_allowed_program_enable_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "github_commit_in_develop_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_renamed_rclone_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rundll32_process_creating_exe_dll_files_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wermgr_process_spawned_cmd_or_powershell_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "vmware_server_side_template_injection_hunt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_bootloader_inventory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "create_or_delete_windows_shares_using_net_exe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_nginx_ingress_lfi_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "domain_group_discovery_with_wmic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_njrat_fileless_storage_via_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getdomaincontroller_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kerberos_pre_authentication_flag_disabled_in_useraccountcontrol_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "network_share_discovery_via_dir_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_mismatch_between_source_and_response_for_verify_push_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_new_open_s3_buckets_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_rce_via_user_xslt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_time_discovery_w32tm_delay_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_computer_account_name_change_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_regasm_with_no_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_windows_behavior_monitoring_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ntdsutil_export_ntds_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "reg_exe_manipulating_windows_services_registry_keys_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_persistent_xss_via_url_validation_bypass_w_dashboard_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_usage_of_net_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_suspicious_image_pulling_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_api_activity_from_users_without_mfa_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_system_network_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_export_certificate_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_detect_users_creating_keys_with_encrypt_policy_without_mfa_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_get_localgroup_discovery_with_script_block_logging_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "circle_ci_disable_security_step_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unusually_long_content_type_length_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "java_class_file_download_by_java_user_agent_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_steal_authentication_certificates_export_certificate_filter"}, {"definition": "(Processes.process_name=dxdiag.exe OR Processes.original_file_name=dxdiag.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_dxdiag"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "vmware_aria_operations_exploit_attempt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_files_and_dirs_access_rights_modification_via_icacls_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_create_local_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_s3_exfiltration_behavior_identified_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35082_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "sdclt_uac_bypass_filter"}, {"definition": "lookup update=true ransomware_extensions_lookup Extensions AS file_extension OUTPUT Name | search Name !=False", "description": "This macro limits the output to files that have extensions associated with ransomware", "name": "ransomware_extensions"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_dotnet_binary_in_non_standard_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "create_remote_thread_into_lsass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_product_spawning_bitsadmin_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_file_created_in_kernel_driver_directory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "slui_runas_elevated_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "process_kill_base_on_file_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "system_information_discovery_detection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_file_transfer_protocol_in_non_common_process_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_instance_modified_by_previously_unseen_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_excessive_disabled_services_event_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "exchange_powershell_module_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "network_connection_discovery_with_arp_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_azure_detect_sensitive_object_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_creation_on_remote_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_use_of_cmd_exe_to_launch_script_interpreters_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_remote_assistance_spawning_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "outbound_network_connection_from_java_using_default_ports_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "non_firefox_process_access_firefox_profile_dir_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_get_localgroup_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_registry_modification_for_safe_mode_persistence_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_azurehound_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_html_help_using_infotech_storage_handlers_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "csc_net_on_the_fly_compilation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_high_number_of_failed_authentications_from_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_desktop_network_bruteforce_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getadgroup_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_rogue_dhcp_server_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unloading_amsi_via_reflection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_new_mfa_method_registered_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_com_hijacking_inprocserver32_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_computer_account_requesting_kerberos_ticket_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_reg_restore_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_endpoint_denial_of_service_dos_zip_bomb_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unusually_long_command_line___mltk_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_mimikatz_via_powershell_and_eventcode_4703_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_iis_components_new_module_added_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "monitor_dns_for_brand_abuse_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_user_execution_malicious_url_shortcut_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_disable_logoff_button_through_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_command_and_scripting_interpreter_risky_spl_mltk_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_access_token_manipulation_sedebugprivilege_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_disable_windows_security_center_notif_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_certify_with_powershell_script_block_logging_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kerberos_tgt_request_using_rc4_encryption_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_replication_service_traffic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_enable_powershell_remoting_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_eks_kubernetes_cluster_sensitive_object_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_disable_or_modify_tools_via_taskkill_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multiple_users_failed_to_authenticate_using_kerberos_filter"}, {"definition": "index=_audit sourcetype=audittrail action=search", "description": "Macro to enable easy searching of audittrail logs for searches", "name": "audit_searches"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_winlogon_with_public_network_connection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_exchange_autodiscover_ssrf_abuse_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_exfiltration_via_batch_service_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_deletion_of_init_daemon_script_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_advanced_audit_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_oauth_application_consent_granted_by_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "runas_execution_in_commandline_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_install_kernel_module_using_modprobe_utility_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_rundll32_application_control_bypass___advpack_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "winhlp32_spawning_a_process_filter"}, {"definition": "objectRef.name IN (*splunk*, *falco*)", "description": "Define your images which are allowed to connect to your kubernetes cluster.", "name": "kube_allowed_images"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getcurrent_user_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_suspicious_processnames_using_pretrained_model_in_dsdl_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_linux_discovery_commands_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "script_execution_via_wmi_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_alternate_datastream___process_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_excessive_security_scanning_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_regasm_spawning_a_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_path_traversal_in_splunk_app_for_lookup_file_edit_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_gem_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_add_files_in_known_crontab_directories_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_ec2_snapshot_shared_externally_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_add_user_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_apache_benchmark_binary_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_multiple_users_failing_to_authenticate_from_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_multiple_appids_and_useragents_authentication_spike_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_abuse_of_secret_by_unusual_user_agent_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "usn_journal_deletion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excel_spawning_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_user_enabled_and_password_reset_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "bits_job_persistence_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_multiple_failed_mfa_requests_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_rce_via_splunk_secure_gateway__splunk_mobile_alerts_feature_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unusually_long_command_line_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_security_account_manager_stopped_filter"}, {"definition": "(Processes.process_name=verclsid.exe OR Processes.original_file_name=verclsid.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_verclsid"}, {"definition": "sourcetype=stream:tcp", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "stream_tcp"}, {"definition": "lookup update=true brandMonitoring_lookup domain as query OUTPUT domain_abuse | search domain_abuse=true", "description": "This macro limits the output to only domains that are in the brand monitoring lookup file", "name": "brand_abuse_dns"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_new_mfa_method_registered_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "jscript_execution_using_cscript_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_no_auto_reboot_with_logon_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "lolbas_with_network_traffic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getdomaingroup_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gsuite_email_suspicious_attachment_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_wmi_process_and_service_list_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_autostart_execution_lsass_driver_registry_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "shim_database_file_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_computer_account_with_spn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cmdline_tool_not_executed_in_cmd_shell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "dllhost_with_no_command_line_arguments_with_network_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_new_mfa_method_registered_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_gcp_detect_sensitive_object_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_multiple_failed_mfa_requests_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_raw_access_to_disk_volume_partition_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_start_bitstransfer_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_renamed_7_zip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_fileless_script_contains_base64_encoded_content_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_application_administrator_role_assigned_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "domain_account_discovery_with_net_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_dll_side_loading_in_calc_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "possible_lateral_movement_powershell_spawn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_short_lived_domain_account_serviceprincipalname_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_path_interception_by_creation_of_program_exe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unusual_count_of_users_remotely_failed_to_auth_from_host_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_domainpolicy_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "msi_module_loaded_by_non_system_binary_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_lateral_tool_transfer_remcom_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_steal_authentication_certificates_cs_backup_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_uac_bypass_suspicious_escalation_behavior_filter"}, {"definition": "(Processes.process_name=msiexec.exe OR Processes.original_file_name=msiexec.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_msiexec"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_defender_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_applicationimpersonation_role_assigned_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_new_login_attempts_to_routers_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_indicator_removal_service_file_deletion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_multi_factor_authentication_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_dll_search_order_hijacking_with_iscsicpl_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_spike_in_aws_security_hub_alerts_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_windows_dns_sigred_via_splunk_stream_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_multiple_failed_mfa_requests_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ngrok_reverse_proxy_on_network_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_nirsoft_advancedrun_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_scheduled_task_created_via_xml_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_command_and_scripting_interpreter_delete_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_snake_malware_kernel_driver_comadmin_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_process_instantiation_via_wmi_and_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_sid_history_attribute_modified_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "net_profiler_uac_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_createloginprofile_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_logs_using_wevtutil_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "samsam_test_file_write_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ms_exchange_mailbox_replication_service_writing_active_server_pages_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "interactive_session_on_remote_endpoint_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "dns_query_length_outliers___mltk_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabled_kerberos_pre_authentication_discovery_with_get_aduser_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_regsvcs_with_no_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "abnormally_high_number_of_cloud_infrastructure_api_calls_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_disable_toast_notifications_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "file_with_samsam_extension_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_rare_executables_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_masquerading_explorer_as_child_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_risk_behavior_filter"}, {"definition": "eventtype=wineventlog_application OR source=\"XmlWinEventLog:Application\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "wineventlog_application"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_discovery_using_qwinsta_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_azure_detect_suspicious_kubectl_calls_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_system_firewall_with_notable_process_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_spike_in_network_acl_activity_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "headless_browser_mockbin_or_mocky_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "searchprotocolhost_with_no_command_line_with_network_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "xsl_script_execution_with_wmic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "enable_rdp_in_other_port_number_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_remote_services_allow_rdp_in_firewall_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_processes_killed_by_industroyer2_malware_filter"}, {"definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "sysmon"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_dll_side_loading_process_child_of_calc_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_remove_windows_defender_directory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_default_group_policy_object_modified_with_gpme_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_add_app_role_assignment_grant_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "impacket_lateral_movement_wmiexec_commandline_parameters_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_excessive_user_account_lockouts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_qakbot_binary_data_registry_filter"}, {"definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "powershell"}, {"definition": "source=PINGID", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "pingid"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_cmd_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_security_support_provider_reg_query_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_screen_capture_via_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_network_access_control_list_created_with_all_open_ports_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_domaintrust_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_risk_threshold_exceeded_filter"}, {"definition": "index=risk", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "risk_index"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getcurrent_user_with_powershell_script_block_filter"}, {"arguments": ["b64in"], "definition": "eval b64x_split=split($b64in$,\"\") | lookup char_conversion_matrix base64char as b64x_split OUTPUT base64bin as b64x_bin | eval b64x_join=mvjoin(b64x_bin,\"\") | rex field=b64x_join \"(?<b64x_by8>.{8})\" max_match=0 | lookup char_conversion_matrix bin as b64x_by8 output ascii as b64x_out | eval $b64in$_decode=mvjoin(b64x_out,\"\") | fields - b64x_* | eval $b64in$_decode = replace(replace($b64in$_decode,\":NUL:\",\"\"),\":SPACE:\",\" \") | rex field=$b64in$_decode mode=sed \"s/\\x00//g\"", "description": "Content based conversion of UTF8/UTF16 based base64 encoding. Not a full implementation, but good enough for context without additional app installation.", "name": "base64decode"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_steal_authentication_certificates_certificate_issued_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_mshta_execution_in_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_user_consent_blocked_for_risky_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "set_default_powershell_execution_policy_to_unrestricted_or_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_snicat_sni_exfiltration_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_driver_inventory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "clear_unallocated_sector_using_cipher_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_gather_victim_network_info_through_ip_check_web_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "mimikatz_passtheticket_commandline_parameters_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_defender_enhanced_notification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_no_auto_update_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "executables_or_script_creation_in_suspicious_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_usb_device_insertion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_dos_via_malformed_s2s_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_credentials_in_registry_reg_query_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_hosts_file_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_gpupdate_no_command_line_arguments_filter"}, {"definition": "(Processes.process_name=runas.exe OR Processes.original_file_name=runas.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_runas"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_certipy_file_modifications_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "active_directory_privilege_escalation_identified_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detection_of_dns_tunnels_filter"}, {"definition": "user.groups{} IN (admin)", "description": "Define your user groups which are allowed to connect to your kubernetes cluster.", "name": "kube_allowed_user_groups"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_exfiltration_via_anomalous_getobject_api_activity_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_azure_detect_sensitive_role_access_filter"}, {"definition": "(index=_internal AND sourcetype=splunkd_crash_log)", "description": "Searches through the Splunk Crash Log for low-level errors and crashes", "name": "splunk_crash_log"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_file_creation_in_init_boot_directory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "bitsadmin_download_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_adminsdholder_acl_modified_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_nirsoft_utilities_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_spearphishing_attachment_connect_to_none_ms_office_domain_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_process_executed_from_container_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_disable_memory_crash_dump_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "modify_acl_permission_to_files_or_folder_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "resize_shadowstorage_volume_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "github_commit_changes_in_master_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_local_administrator_credential_stuffing_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_ingress_tool_transfer_with_curl_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_find_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "abnormally_high_number_of_cloud_security_group_api_calls_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_account_discovery_drilldown_dashboard_disclosure_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_event_for_service_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "adsisearcher_account_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_registry_sip_provider_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "headless_browser_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_threatinsight_login_failure_with_high_unknown_users_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "change_default_file_association_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_usage_of_cacls_app_filter"}, {"definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "kubernetes_metrics"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_regasm_with_network_connection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "abnormally_high_number_of_cloud_instances_destroyed_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_wmi_process_call_create_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_suspicious_user_email_forwarding_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_process_injection_forwarder_bundle_downloads_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getwmiobject_user_account_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detection_of_tools_built_by_nirsoft_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "nltest_domain_trust_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "regsvr32_silent_and_install_param_dll_loading_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_writes_to_windows_recycle_bin_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "winevent_windows_task_scheduler_event_action_started_filter"}, {"definition": "sourcetype=\"MSWindows:IIS\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "exchange"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_data_destruction_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "papercut_ng_suspicious_behavior_debug_log_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_boot_or_logon_autostart_execution_in_startup_folder_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_product_spawning_certutil_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powerview_spn_discovery_filter"}, {"definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_wmic"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_multiple_users_failing_to_authenticate_from_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "control_loading_from_world_writable_directory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_credentials_from_password_stores_deletion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_password_policy_changes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_spearphishing_attachment_onenote_spawn_mshta_filter"}, {"definition": "(Processes.process_name=csc.exe OR Processes.original_file_name=csc.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_csc"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_service_principal_new_client_credentials_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_sudo_or_su_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_creating_thread_mutex_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_create_with_tscon_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_stop_via_net__and_sc_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_abnormal_object_access_activity_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_docker_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_hunting_system_account_targeting_lsass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "hide_user_account_from_sign_in_screen_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_document_executing_macro_code_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_query_registry_browser_list_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_find_domain_organizational_units_with_getdomainou_filter"}, {"definition": "sourcetype=gsuite:drive:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "gsuite_drive"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_systemrestore_in_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "exchange_powershell_abuse_via_ssrf_filter"}, {"definition": "sourcetype=mscs:storage:blob:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent.", "name": "kubernetes_azure"}, {"definition": "(Processes.process_name=route.exe OR Processes.original_file_name=route.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_route"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_driver_loaded_path_filter"}, {"definition": "sourcetype=aws:firehose:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "github"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_input_capture_using_credential_ui_dll_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_enable_win32_scheduledjob_via_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_service_file_created_in_systemd_directory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_new_local_admin_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_spike_in_security_group_activity_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "system_processes_run_from_unexpected_locations_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_alternate_datastream___executable_content_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_msbuild_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unsigned_image_loaded_by_lsass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_curl_download_to_suspicious_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_mailbox_read_access_granted_to_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_mshta_child_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_cached_domain_credentials_reg_query_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_improperly_formatted_parameter_crashes_splunkd_filter"}, {"definition": "BitlockerWizardElev.exe,cliconfg.exe,clipup.exe,cmstp.exe,CompMgmtLauncher.exe,consent.exe,control.exe,credwiz.exe,dccw.exe,dismhost.exe,EventVwr.exe,fodhelper.exe,GWXUXWorker.exe,inetmgr.exe,iscsicli.exe,mcx2prov.exe,migwiz.exe,mmc.exe,msconfig.exe,oobe.exe,osk.exe,pkgmgr.exe,recdisc.exe,rstrui.exe,sdclt.exe,setupsqm.exe,slui.exe,sysprep.exe,SystemPropertiesAdvanced.exe,taskhost.exe,TpmInit.exe,tzsync.exe,w32tm.exe,WerFault.exe,WSReset.exe,wusa.exe", "description": "A listing of processes known to be abused for User Account Control bypass exploitation.", "name": "uacbypass_process_name"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "certutil_download_with_urlcache_and_split_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_iam_failure_group_deletion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_email___uba_anomaly_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_product_spawn_cmd_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "path_traversal_spl_injection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "shim_database_installation_with_suspicious_parameters_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unload_sysmon_filter_driver_filter"}, {"definition": "sourcetype=aws:s3:accesslogs", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "aws_s3_accesslogs"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_mysql_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "abnormally_high_aws_instances_terminated_by_user___mltk_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_web_traffic_to_dynamic_domain_providers_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_identified_ssl_tls_certificates_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_msiexec_spawn_windbg_filter"}, {"definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_rundll32"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_stop_by_deletion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "impacket_lateral_movement_smbexec_commandline_parameters_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_iptables_firewall_modification_filter"}, {"definition": "(Processes.process_name=esentutl.exe OR Processes.original_file_name=esentutl.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_esentutl"}, {"definition": "(Processes.process_name=regsvr32.exe OR Processes.original_file_name=REGSVR32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_regsvr32"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_create_policy_version_to_allow_all_resources_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_mshta_spawn_filter"}, {"definition": "sourcetype=\"papercutng\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "papercutng"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "reg_exe_used_to_hide_files_directories_via_registry_keys_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_defense_evasion_putbucketlifecycle_filter"}, {"definition": "(query=outlook* AND query=login* AND query=account*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as Outlook", "name": "evilginx_phishlets_outlook"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_defender_exclusion_registry_entry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cisco_ios_xe_implant_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_snake_malware_service_create_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "conti_common_exec_parameter_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "web_servers_executing_suspicious_processes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_service_principal_new_client_credentials_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_password_policy_changes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cmd_echo_pipe___escalation_filter"}, {"definition": "(query=accounts* AND query=ssl* AND query=www*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as Google", "name": "evilginx_phishlets_google"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_com_hijacking_inprocserver32_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_find_interesting_acl_with_findinterestingdomainacl_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_multi_factor_authentication_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_octave_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_protocol_impersonation_weak_encryption_selfsigned_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "revil_common_exec_parameter_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_document_creating_schedule_task_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_high_number_of_failed_authentications_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_spike_in_s3_bucket_deletion_filter"}, {"definition": "(Processes.process_name=nltest.exe OR Processes.original_file_name=nltestrk.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_nltest"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_private_keys_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "child_processes_of_spoolsv_exe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "jetbrains_teamcity_rce_attempt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_remote_services_rdp_enable_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ldifde_directory_object_behavior_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wmic_group_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_clipboard_data_via_get_clipboard_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_spawning_control_filter"}, {"definition": "(Processes.process_name=ping.exe OR Processes.original_file_name=ping.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_ping"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_application_layer_protocol_rms_radmin_tool_namedpipe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_windows_smartscreen_protection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "domain_account_discovery_with_wmic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_disable_windows_group_policy_features_through_registry_filter"}, {"definition": "(Processes.process_name=copy.exe OR Processes.original_file_name=copy.exe OR Processes.process_name=xcopy.exe OR Processes.original_file_name=xcopy.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_copy"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "add_defaultuser_and_password_in_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_registry_tool_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_service_principal_created_filter"}, {"definition": "(query=www* AND query = m* AND query=static*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as FaceBook", "name": "evilginx_phishlets_facebook"}, {"definition": "sourcetype = PwSh:bootloader", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "bootloader_inventory"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "malicious_powershell_process_with_obfuscation_techniques_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "regsvr32_with_known_silent_switch_cmdline_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_wustatusserver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "time_provider_persistence_registry_filter"}, {"definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only", "name": "security_content_summariesonly"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "print_spooler_failed_to_load_a_plug_in_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rundll32_with_no_command_line_arguments_with_network_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_reboot_commandline_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "steal_or_forge_authentication_certificates_behavior_identified_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_remote_services_add_trustedhost_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "processes_launching_netsh_filter"}, {"definition": "index=zeek sourcetype=\"zeek:ssl:json\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "zeek_ssl"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_msbuild_rename_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "citrix_adc_exploitation_cve_2023_3519_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_domainuser_with_powershell_filter"}, {"definition": "index=_internal sourcetype=splunkd_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "splunkda"}, {"definition": "\"-70m@m\"", "description": "Use this macro to determine how far back you should be checking for new zoom child processes", "name": "previously_seen_zoom_child_processes_window"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_ruby_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_serviceprincipalname_added_to_domain_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_process_instantiation_via_wmi_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_event_triggered_image_file_execution_options_injection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "domain_group_discovery_with_net_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_credential_access_failed_login_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_installutil_in_non_standard_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_installutil_remote_network_connection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_webshell_exploit_behavior_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "services_escalate_exe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_created_with_suspicious_service_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_deletion_in_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_f5_tmui_rce_cve_2020_5902_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_exfiltration_via_ec2_snapshot_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_renamed_winrar_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_kerberos_service_ticket_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_proxy_via_netsh_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_controlpanel_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_sip_provider_inventory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_impair_defenses_process_kill_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_service_started_or_enabled_filter"}, {"definition": "sourcetype=\"zeek:x509:json\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "zeek_x509"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_pst_export_alert_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_mark_of_the_web_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "hosts_receiving_high_volume_of_network_traffic_from_email_server_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_pim_role_assignment_activated_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_product_spawning_rundll32_with_no_dll_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_long_dns_txt_record_response_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "recon_avproduct_through_pwh_or_wmi_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_previously_unseen_container_image_name_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_deleted_registry_by_a_non_critical_process_file_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "mailsniper_invoke_functions_filter"}, {"definition": "sourcetype=\"PwSh:SubjectInterfacePackage\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "subjectinterfacepackage"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_disable_change_password_through_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_created_within_public_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_snake_malware_file_modification_crmlog_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_suspicious_use_of_a_session_cookie_filter"}, {"definition": "(Processes.original_file_name=rclone.exe OR Processes.process_name=rclone.exe)", "description": "Matches the process with its original file name.", "name": "process_rclone"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "net_localgroup_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_compute_instance_created_in_previously_unused_region_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_updateloginprofile_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_concurrent_sessions_from_different_ips_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getadgroup_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_app_layer_protocol_wermgr_connect_to_namedpipe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wsmprovhost_lolbas_execution_process_spawn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_conhost_with_headless_argument_filter"}, {"definition": "lookup update=true lookup_rare_process_allow_list_default process as process OUTPUTNEW allow_list | where allow_list=\"false\" | lookup update=true lookup_rare_process_allow_list_local process as process OUTPUT allow_list | where allow_list=\"false\"", "description": "This macro is intended to allow_list processes that have been definied as rare", "name": "filter_rare_process_allow_list"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_credential_dumping_through_lsass_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_software_download_to_network_device_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_vulnerable_driver_loaded_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_credential_dumping_lsass_memory_createdump_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "sdelete_application_execution_filter"}, {"definition": "lookup update=true brandMonitoring_lookup domain as urls OUTPUT domain_abuse | search domain_abuse=true", "description": "This macro limits the output to only domains that are in the brand monitoring lookup file", "name": "brand_abuse_web"}, {"definition": "sourcetype=\"IIS:Configuration:Operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "iis_operational_logs"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_adfind_exe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "attempted_credential_dump_from_registry_via_reg_exe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_auto_minor_updates_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_scheduled_task_from_public_directory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unusual_count_of_users_failed_to_authenticate_using_ntlm_filter"}, {"definition": "search *", "description": "Add customer specific known false positives to the map command used in detection - Potential password in username", "name": "potential_password_in_username_false_positive_reduction"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multiple_users_remotely_failed_to_authenticate_from_host_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "elevated_group_discovery_with_powerview_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_defense_evasion_stop_logging_cloudtrail_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "circle_ci_disable_security_job_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cmd_carry_out_string_command_parameter_filter"}, {"definition": "sourcetype=gws:reports:login", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "gws_reports_login"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_post_exploitation_risk_behavior_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_defense_evasion_update_cloudtrail_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "no_windows_updates_in_a_time_frame_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_ngrok_reverse_proxy_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_unusual_number_of_failed_authentications_from_ip_filter"}, {"definition": "index=_internal sourcetype=splunkd", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "splunkd"}, {"definition": "event.parameters{}.multiValue{} IN (\"backup_code\", \"google_authenticator\", \"google_prompt\", \"idv_any_phone\", \"idv_preregistered_phone\", \"internal_two_factor\", \"knowledge_employee_id\", \"knowledge_preregistered_email\", \"login_location\", \"knowledge_preregistered_phone\", \"offline_otp\", \"security_key\", \"security_key_otp\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "gws_login_mfa_methods"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_active_directory_high_risk_sign_in_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_mail_permissioned_application_consent_granted_by_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wmiprsve_lolbas_execution_process_spawn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_service_principal_owner_added_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_aws_console_login_by_new_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "attempt_to_add_certificate_to_untrusted_store_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_rundll32_plugininit_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_time_based_evasion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_authentication_failed_during_mfa_challenge_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_abuse_of_secret_by_unusual_location_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_command_shell_fetch_env_variables_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_access_token_winlogon_duplicate_handle_in_uncommon_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "abnormally_high_aws_instances_launched_by_user___mltk_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_apt_get_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_malicious_requests_to_exploit_jboss_servers_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "bcdedit_command_back_to_normal_mode_boot_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "execution_of_file_with_multiple_extensions_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_iis_components_get_webglobalmodule_module_query_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unusual_number_of_kerberos_service_tickets_requested_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wmi_recon_running_process_or_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ransomware_notes_bulk_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powerview_unconstrained_delegation_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_account_discovery_for_sam_account_name_filter"}]}
\ No newline at end of file
+{"macros": [{"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_credential_access_getpassworddata_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_clipboard_data_copy_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "domain_group_discovery_with_dsquery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "tor_traffic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_successful_single_factor_authentication_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_event_log_service_behavior_filter"}, {"definition": "user.groups{} IN (admin)", "description": "Define your user groups which are allowed to connect to your kubernetes cluster.", "name": "kube_allowed_user_groups"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_possible_append_cronjob_entry_on_existing_cronjob_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_krbrelayup_service_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "modify_acl_permission_to_files_or_folder_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "malicious_powershell_process_with_obfuscation_techniques_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "create_remote_thread_in_shell_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "domain_group_discovery_with_adsisearcher_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_defender_asr_audit_events_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_cached_domain_credentials_reg_query_filter"}, {"definition": "sourcetype=\"IIS:Configuration:Operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "iis_operational_logs"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_desktop_network_bruteforce_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_office_product_spawning_msdt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "attempt_to_stop_security_service_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_processes_killed_by_industroyer2_malware_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "services_lolbas_execution_process_spawn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_creation_using_registry_entry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_file_permissioned_application_consent_granted_by_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "malicious_powershell_executed_as_a_service_filter"}, {"definition": "userName IN (user)", "description": "specify the user allowed to push Images to AWS ECR.", "name": "aws_ecr_users"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "randomly_generated_windows_service_name_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_sudoers_tmp_file_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_defense_evasion_impair_security_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rundll32_control_rundll_hunt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_invoke_cimmethod_cimsession_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "credential_dumping_via_copy_command_from_shadow_copy_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_disabling_wer_settings_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_unauthorized_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_activity_related_to_pass_the_hash_attacks_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_deny_security_software_with_applocker_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_account_locked_out_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_compute_instance_created_in_previously_unused_region_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_s3_access_from_a_new_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_reboot_commandline_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_executable_in_loaded_modules_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "github_pull_request_from_unknown_user_filter"}, {"definition": "source=PINGID", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "pingid"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "recursive_delete_of_directory_in_batch_cmd_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_snicat_sni_exfiltration_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_multiple_appids_and_useragents_authentication_spike_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_detect_attach_to_role_policy_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "vbscript_execution_using_wscript_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wmiprsve_lolbas_execution_process_spawn_filter"}, {"definition": "sourcetype=gws:reports:login", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "gws_reports_login"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_find_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_msexchange_management_mailbox_cmdlet_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "resize_shadowstorage_volume_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "vmware_aria_operations_exploit_attempt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "reg_exe_manipulating_windows_services_registry_keys_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_rundll32_startw_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "monitor_registry_keys_for_print_monitors_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_spike_in_aws_api_activity_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_diskcryptor_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_new_open_s3_buckets_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_protocol_tunneling_with_plink_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_kerberos_service_ticket_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_file_creation_in_profile_directory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "processes_tapping_keyboard_events_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "sam_database_file_access_attempt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_authenticationleveloverride_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ivanti_sentry_authentication_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_large_number_of_computer_service_tickets_requested_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getcurrent_user_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_hijack_execution_flow_version_dll_side_load_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "dump_lsass_via_comsvcs_dll_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_rce_via_splunk_secure_gateway__splunk_mobile_alerts_feature_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_dll_side_loading_in_calc_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_enable_smb1protocol_feature_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_emacs_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_busybox_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_dns_gather_network_info_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multiple_invalid_users_failed_to_authenticate_using_ntlm_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_ngrok_reverse_proxy_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_block_user_consent_for_risky_apps_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabled_kerberos_pre_authentication_discovery_with_get_aduser_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_auto_minor_updates_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_add_files_in_known_crontab_directories_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "log4shell_cve_2021_44228_exploitation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "pingid_multiple_failed_mfa_requests_for_user_filter"}, {"definition": "sourcetype=kube:container:controller", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data. Replace the macro definition with configurations for your Splunk Environmnent.", "name": "kubernetes_container_controller"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "loading_of_dynwrapx_module_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getwmiobject_ds_user_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_low_privilege_user_can_view_hashed_splunk_password_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_aws_detect_sensitive_role_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_exfiltration_via_anomalous_getobject_api_activity_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_shell_running_on_worker_node_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "registry_keys_used_for_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getcurrent_user_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_mimikatz_with_powershell_script_block_logging_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_iso_lnk_file_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_obfuscated_files_or_information_base64_decode_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_list_all_nonstandard_admin_accounts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "short_lived_windows_accounts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "first_time_seen_command_line_argument_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_post_exploitation_risk_behavior_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wermgr_process_spawned_cmd_or_powershell_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_ruby_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "pingid_new_mfa_method_registered_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "bitsadmin_download_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_authentication_failed_during_mfa_challenge_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_usb_device_insertion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_msiexec_with_network_connections_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "certutil_download_with_urlcache_and_split_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_detect_oauth_token_abuse_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "batch_file_write_to_system32_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "abnormally_high_aws_instances_launched_by_user___mltk_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "system_information_discovery_detection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_remote_access_software_brc4_loaded_dll_filter"}, {"definition": "sourcetype=\"google:gcp:pubsub:message\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "google_gcp_pubsub_message"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_desktop_network_traffic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_rundll32_webdav_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_kubernetes_cluster_scan_detection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "email_files_written_outside_of_the_outlook_directory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_composer_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wbadmin_delete_system_backups_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_stop_by_deletion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_remote_access_software_hunt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_service_principal_owner_added_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_suspicious_image_pulling_filter"}, {"definition": "(Processes.process_name=regsvcs.exe OR Processes.original_file_name=RegSvcs.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_regsvcs"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_conhost_with_headless_argument_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_iis_components_webglobalmodule_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_command_and_scripting_interpreter_risky_commands_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "dump_lsass_via_procdump_rename_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_disable_bucket_versioning_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "sqlite_module_in_temp_folder_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "notepad_with_no_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_new_mfa_method_registered_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_ingress_tool_transfer_with_curl_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wget_download_and_bash_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_stop_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_console_login_failed_during_mfa_challenge_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "domain_account_discovery_with_wmic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_dll_side_loading_process_child_of_calc_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "known_services_killed_by_ransomware_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "spoolsv_suspicious_loaded_modules_filter"}, {"definition": "lookup suspicious_writes_lookup file as file_name OUTPUT note as \"Reference\" | search \"Reference\" != False", "description": "This macro limites the output to file names that have been marked as suspicious", "name": "suspicious_writes"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multi_hop_proxy_tor_website_query_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "common_ransomware_extensions_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_product_spawning_mshta_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_microsoft_workflow_compiler_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "multiple_okta_users_with_invalid_credentials_from_the_same_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_command_and_scripting_interpreter_hunting_path_traversal_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_bootloader_inventory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "fodhelper_uac_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "impacket_lateral_movement_wmiexec_commandline_parameters_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_execute_com_object_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_dos_via_malformed_s2s_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_remote_service_rdpwinst_tool_execution_filter"}, {"definition": "(Processes.process_name=csc.exe OR Processes.original_file_name=csc.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_csc"}, {"definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "splunkd_web"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_process_injection_forwarder_bundle_downloads_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_domain_controller_promotion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_longpathsenabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "process_execution_via_wmi_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_add_xml_applocker_rules_filter"}, {"definition": "sourcetype=mscs:storage:blob:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes data from Azure. Replace the macro definition with configurations for your Splunk Environmnent.", "name": "kubernetes_azure"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_script_proxy_execution_syncappvpublishingserver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kerberoasting_spn_request_with_rc4_encryption_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getadgroup_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_domaintrust_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_auto_update_notif_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multiple_users_failed_to_authenticate_using_kerberos_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_disable_win_defender_raw_write_notif_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_plistbuddy_usage_via_osquery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_dns_data_exfiltration_using_pretrained_model_in_dsdl_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_app_for_lookup_file_editing_rce_via_user_xslt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_curl_download_to_suspicious_path_filter"}, {"definition": "(Processes.process_name=cmd.exe OR Processes.process_name=powershell.exe OR Processes.process_name=pwsh.exe OR Processes.process_name=sh.exe OR Processes.process_name=bash.exe OR Processes.process_name=wscript.exe OR Processes.process_name=cscript.exe)", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "windows_shells"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "add_or_set_windows_defender_exclusion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_proxy_via_netsh_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_apt_get_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "processes_created_by_netsh_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "download_files_using_telegram_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_account_discovery_with_netuser_preauthnotrequire_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "clop_ransomware_known_service_name_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_defender_enhanced_notification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_credentials_from_password_stores_chrome_localstate_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cisco_ios_xe_implant_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "child_processes_of_spoolsv_exe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rubeus_command_line_parameters_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_hide_notification_features_through_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_alternate_datastream___process_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_rpm_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_gcp_detect_rbac_authorizations_by_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_serviceprincipalname_added_to_domain_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_iis_components_new_module_added_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powersploit_gpp_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_linked_policies_in_adsi_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_http_response_splitting_via_rest_spl_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "icacls_deny_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "shim_database_installation_with_suspicious_parameters_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "exploit_public_facing_application_via_apache_commons_text_filter"}, {"definition": "sourcetype=aws:cloudwatchlogs:vpcflow", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "cloudwatchlogs_vpcflow"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_registry_delete_task_sd_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_query_registry_uninstall_program_list_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_network_connections_discovery_netsh_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_iam_delete_policy_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_product_spawning_bitsadmin_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "clients_connecting_to_multiple_dns_servers_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_app_layer_protocol_wermgr_connect_to_namedpipe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "github_commit_changes_in_master_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_rundll32_no_command_line_arguments_filter"}, {"definition": "index=_internal sourcetype=splunkd_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "splunkda"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "domain_group_discovery_with_net_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_powershell_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "network_discovery_using_route_windows_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getwmiobject_user_account_with_powershell_script_block_filter"}, {"definition": "BitlockerWizardElev.exe,cliconfg.exe,clipup.exe,cmstp.exe,CompMgmtLauncher.exe,consent.exe,control.exe,credwiz.exe,dccw.exe,dismhost.exe,EventVwr.exe,fodhelper.exe,GWXUXWorker.exe,inetmgr.exe,iscsicli.exe,mcx2prov.exe,migwiz.exe,mmc.exe,msconfig.exe,oobe.exe,osk.exe,pkgmgr.exe,recdisc.exe,rstrui.exe,sdclt.exe,setupsqm.exe,slui.exe,sysprep.exe,SystemPropertiesAdvanced.exe,taskhost.exe,TpmInit.exe,tzsync.exe,w32tm.exe,WerFault.exe,WSReset.exe,wusa.exe", "description": "A listing of processes known to be abused for User Account Control bypass exploitation.", "name": "uacbypass_process_name"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "winevent_windows_task_scheduler_event_action_started_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_disable_toast_notifications_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "amazon_eks_kubernetes_cluster_scan_detection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_exfiltration_over_c2_via_powershell_uploadstring_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "password_policy_discovery_with_net_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_java_spawning_shell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "non_chrome_process_accessing_chrome_default_dir_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_detect_high_risk_permissions_by_resource_and_account_filter"}, {"definition": "(Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_cmd"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "petitpotam_suspicious_kerberos_tgt_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_absolute_path_traversal_using_runshellscript_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "macos_plutil_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_server_software_component_gacutil_install_to_gac_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wsreset_uac_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_renamed_winrar_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_high_frequency_of_file_deletion_in_etc_folder_filter"}, {"definition": "sourcetype=circleci", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "circleci"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_enterprise_information_disclosure_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "impacket_lateral_movement_smbexec_commandline_parameters_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_information_discovery_fsutil_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_sharphound_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_findstr_gpp_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_wmi_command_attempt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getnettcpconnection_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_regsvcs_with_no_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_azure_scan_fingerprint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_aduser_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "active_directory_privilege_escalation_identified_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_task_manager_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_high_number_of_failed_authentications_for_user_filter"}, {"definition": "(Processes.original_file_name=rclone.exe OR Processes.process_name=rclone.exe)", "description": "Matches the process with its original file name.", "name": "process_rclone"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "persistent_xss_in_rapiddiag_through_user_interface_views_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_rundll32_inline_hta_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_valid_account_with_never_expires_password_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "adsisearcher_account_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_driver_loaded_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_domain_account_discovery_via_get_netcomputer_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "domain_controller_discovery_with_wmic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "smb_traffic_spike___mltk_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_password_managers_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_create_remcomsvc_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_computer_changed_with_anonymous_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_updateserviceurlalternate_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_default_group_policy_object_modified_with_gpme_filter"}, {"definition": "(eventName=AssociateAddress OR eventName=AssociateIamInstanceProfile OR eventName=AttachClassicLinkVpc OR eventName=AttachNetworkInterface OR eventName=AttachVolume OR eventName=BundleInstance OR eventName=DetachClassicLinkVpc OR eventName=DetachVolume OR eventName=ModifyInstanceAttribute OR eventName=ModifyInstancePlacement OR eventName=MonitorInstances OR eventName=RebootInstances OR eventName=ResetInstanceAttribute OR eventName=StartInstances OR eventName=StopInstances OR eventName=TerminateInstances OR eventName=UnmonitorInstances)", "description": "This is a list of AWS event names that have to do with modifying Amazon EC2 instances", "name": "ec2_modification_api_calls"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_firewall_with_netsh_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_files_and_dirs_access_rights_modification_via_icacls_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_addefaultdomainpasswordpolicy_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_usage_of_net_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_aws_detect_service_accounts_forbidden_failure_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_domain_replication_acl_addition_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "abnormally_high_number_of_cloud_instances_destroyed_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "clop_common_exec_parameter_filter"}, {"definition": "user IN (user_names_here)", "description": "specify the user allowed to create PRs in Github projects.", "name": "github_known_users"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unknown_process_using_the_kerberos_protocol_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_account_discovery_for_none_disable_user_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_regedit_silent_reg_import_filter"}, {"definition": "sourcetype=\"netbackup_logs\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "netbackup"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_indicator_removal_clear_cache_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_discovery_using_ldap_nslookup_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_provisioning_activity_from_previously_unseen_city_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_traffic_mirroring_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_product_spawning_certutil_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_command_shell_dcrat_forkbomb_payload_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_ecr_container_scanning_findings_high_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_document_spawned_child_process_to_download_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_shred_overwrite_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getdomaincomputer_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_net_user_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unusual_count_of_users_failed_to_authenticate_from_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "system_info_gathering_using_dxdiag_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_c89_privilege_escalation_filter"}, {"definition": "sourcetype=gws:reports:admin", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "gws_reports_admin"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_iam_failure_group_deletion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_security_support_provider_reg_query_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kerberos_pre_authentication_flag_disabled_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_process_with_anomalous_resource_utilisation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_delete_or_modify_system_firewall_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_scheduletask_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "papercut_ng_suspicious_behavior_debug_log_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "outbound_network_connection_from_java_using_default_ports_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_msbuild_spawn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "print_processor_registry_autostart_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_security_logs_using_minint_registry_filter"}, {"definition": "(Processes.process_name=schtasks.exe OR Processes.original_file_name=schtasks.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_schtasks"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "runas_execution_in_commandline_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_multi_source_failed_authentications_spike_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_com_hijacking_inprocserver32_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "dns_record_changed_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_get_localgroup_discovery_with_script_block_logging_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_uac_bypass_suspicious_child_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unusually_long_command_line_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_identify_protocol_handlers_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "certutil_exe_certificate_extraction_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_saml_access_by_provider_user_and_principal_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "print_spooler_adding_a_printer_driver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_process_dns_query_known_abuse_web_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_zerologon_via_zeek_filter"}, {"definition": "sourcetype=stream:http", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "stream_http"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_updateloginprofile_filter"}, {"definition": "(Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_powershell"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "sdclt_uac_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_stdout_redirection_to_dev_null_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_attackers_scanning_for_vulnerable_jboss_servers_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "sc_exe_manipulating_windows_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_csvtool_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_domaintrust_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_network_config_discovery_display_dns_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_possible_access_or_modification_of_sshd_config_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "deleting_of_net_users_filter"}, {"definition": "index=risk", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "risk_index"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_tamper_protection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powerview_unconstrained_delegation_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "time_provider_persistence_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_amsi_through_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_mfa_exhaustion_hunt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_process_injection_of_wermgr_to_known_browser_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_adfind_exe_filter"}, {"definition": "(Processes.process_name=bitsadmin.exe OR Processes.original_file_name=bitsadmin.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_bitsadmin"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_mimikatz_via_powershell_and_eventcode_4703_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getadcomputer_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_wmiobject_group_discovery_with_script_block_logging_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_application_spawn_regsvr32_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_service_principal_new_client_credentials_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_mof_event_triggered_execution_via_wmi_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_application_layer_protocol_rms_radmin_tool_namedpipe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_iam_successful_group_deletion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_provisioning_activity_from_previously_unseen_country_filter"}, {"definition": "sourcetype=o365:management:activity", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "o365_management_activity"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_domainuser_with_powershell_filter"}, {"definition": "eventtype=wineventlog_application OR source=\"XmlWinEventLog:Application\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "wineventlog_application"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unusual_count_of_disabled_users_failed_auth_using_kerberos_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_sip_winverifytrust_failed_trust_validation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "first_time_seen_child_process_of_zoom_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_credentials_from_password_stores_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "scheduled_task_creation_on_remote_endpoint_using_at_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_regsvr32_renamed_binary_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "winevent_scheduled_task_created_within_public_path_filter"}, {"definition": "(Processes.process_name=esentutl.exe OR Processes.original_file_name=esentutl.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_esentutl"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "correlation_by_repository_and_risk_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_import_applocker_policy_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "confluence_cve_2023_22515_trigger_vulnerability_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_spawning_control_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_iis_components_module_failed_to_load_filter"}, {"definition": "(index=_internal AND sourcetype=splunkd_crash_log)", "description": "Searches through the Splunk Crash Log for low-level errors and crashes", "name": "splunk_crash_log"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getdomaincomputer_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "user_discovery_with_env_vars_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_masquerading_msdtc_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_add_module_to_global_assembly_cache_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "adobe_coldfusion_access_control_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "system_processes_run_from_unexpected_locations_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_kerberos_local_successful_logon_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_compute_instance_created_with_previously_unseen_instance_type_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_process_instantiation_via_wmi_and_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_enable_powershell_remoting_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cmlua_or_cmstplua_uac_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "executable_file_written_in_administrative_smb_share_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_prohibited_applications_spawning_cmd_exe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_rare_executables_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "shim_database_file_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_screen_capture_via_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_iam_accessdenied_discovery_events_filter"}, {"definition": "(Processes.process_name=diskshadow.exe OR Processes.original_file_name=diskshadow.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_diskshadow"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_scheduled_task_created_via_xml_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getlocaluser_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_defender_submit_samples_consent_feature_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_unusual_number_of_failed_authentications_from_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "possible_browser_pass_view_parameter_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "java_class_file_download_by_java_user_agent_filter"}, {"definition": "(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=\"XmlWinEventLog:Microsoft-Windows-PowerShell/Operational\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "powershell"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "serviceprincipalnames_discovery_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "execution_of_file_with_multiple_extensions_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "malicious_powershell_process___encoded_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_rogue_domain_controller_network_activity_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_fileless_process_injection_via_getprocaddress_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_remote_access_software_rms_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_connhost_exe_started_forcefully_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_replication_service_traffic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_risky_spl_using_pretrained_ml_model_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kerberos_tgt_request_using_rc4_encryption_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_detect_gcploit_framework_filter"}, {"definition": "source=\"WinEventLog:Microsoft-Windows-Windows Defender/Operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "ms_defender"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_defender_asr_rules_stacking_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "elevated_group_discovery_with_powerview_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_time_based_evasion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_system_discovery_with_adsisearcher_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_user_consent_denied_for_oauth_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_multiple_users_failing_to_authenticate_from_ip_filter"}, {"definition": "eventtype=wineventlog_system", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "wineventlog_system"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_html_help_using_infotech_storage_handlers_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "usn_journal_deletion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_system_discovery_with_net_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_cab_file_on_disk_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_user_immutableid_attribute_updated_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_suspicious_rights_delegation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_dontshowui_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_iis_components_add_new_module_filter"}, {"definition": "user.username=admin", "description": "Define your user names which are allowed to connect to your kubernetes cluster.", "name": "kube_allowed_user_names"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_enablelinkedconnections_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excel_spawning_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_autostart_execution_lsass_driver_registry_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35078_filter"}, {"definition": "lookup update=true is_net_windows_file filename as process_name OUTPUT netFile | lookup update=true is_net_windows_file originalFileName as original_file_name OUTPUT netFile | search netFile=true", "description": "This macro limits the output to process names that are .net binaries on Windows Server 2016 and Windows 11.", "name": "is_net_windows_file"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "execute_javascript_with_jscript_com_clsid_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_data_exfiltration_from_analytics_workspace_using_sid_query_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_dns_requests_to_phishing_sites_leveraging_evilginx2_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_regasm_spawning_a_process_filter"}, {"definition": "sourcetype=gsuite:drive:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "gsuite_drive"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_stop_win_updates_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "dump_lsass_via_procdump_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_processes_used_for_system_network_configuration_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_computer_account_requesting_kerberos_ticket_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "logon_script_event_trigger_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_disable_windows_group_policy_features_through_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_bypass_mfa_via_trusted_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_wmi_process_call_create_filter"}, {"definition": "(Processes.process_name=copy.exe OR Processes.original_file_name=copy.exe OR Processes.process_name=xcopy.exe OR Processes.original_file_name=xcopy.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_copy"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multiple_invalid_users_fail_to_authenticate_using_kerberos_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "vmware_server_side_template_injection_hunt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ngrok_reverse_proxy_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_mail_permissioned_application_consent_granted_by_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ec2_instance_modified_with_previously_unseen_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "exchange_powershell_abuse_via_ssrf_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_ssh_remote_services_script_execute_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_detect_role_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_new_user_aws_console_login_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_domainuser_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_system_firewall_with_notable_process_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unusually_long_content_type_length_filter"}, {"definition": "(query=outlook* AND query=login* AND query=account*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as Outlook", "name": "evilginx_phishlets_outlook"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "user_discovery_with_env_vars_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "winword_spawning_cmd_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_disable_logoff_button_through_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "certutil_with_decode_argument_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "abnormally_high_number_of_cloud_instances_launched_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_rbac_bypass_on_indexing_preview_rest_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_registry_certificate_added_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_azure_detect_sensitive_object_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_azure_active_service_accounts_by_pod_namespace_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_multiple_failed_mfa_requests_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_dotnet_binary_in_non_standard_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ec2_instance_started_with_previously_unseen_ami_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_indirect_command_execution_via_series_of_forfiles_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_account_discovery_for_sam_account_name_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_defacement_modify_transcodedwallpaper_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_disable_notification_center_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_privileged_role_assigned_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "web_fraud___password_sharing_across_accounts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_defense_evasion_delete_cloudtrail_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "add_defaultuser_and_password_in_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_cryptography_namespace_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_user_enabled_and_password_reset_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_baron_samedit_cve_2021_3156_via_osquery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "screensaver_event_trigger_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_process_injection_into_notepad_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getwmiobject_ds_computer_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_command_and_scripting_interpreter_risky_spl_mltk_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_external_guest_user_invited_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "headless_browser_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_group_policy_object_created_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "microsoft_sharepoint_server_elevation_of_privilege_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_plistbuddy_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_no_auto_update_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_logoff_commandline_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_rce_via_serialized_session_payload_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "elevated_group_discovery_with_net_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "hunting_for_log4shell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_shell_running_on_worker_node_with_cpu_activity_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_archive_collected_data_via_rar_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "change_to_safe_mode_with_network_config_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_mshta_child_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_new_device_enrolled_on_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_new_api_token_created_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "registry_keys_for_creating_shim_databases_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_service_file_created_in_systemd_directory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_disable_windows_security_center_notif_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gsuite_email_suspicious_attachment_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_nopasswd_entry_in_sudoers_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_detect_accounts_with_high_risk_roles_by_project_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_remote_thread_to_known_windows_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "web_servers_executing_suspicious_processes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_edit_user_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "monitor_dns_for_brand_abuse_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_exfiltration_via_ec2_snapshot_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wmic_group_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_abused_web_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_credentials_in_registry_reg_query_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_detect_users_with_kms_keys_performing_encryption_s3_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_data_destruction_recursive_exec_files_deletion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_snake_malware_registry_modification_wav_openwithprogids_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_xss_in_monitoring_console_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_renamed_rclone_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_doas_tool_execution_filter"}, {"definition": "lookup update=true is_nirsoft_software filename as process_name OUTPUT nirsoftFile | search nirsoftFile=true", "description": "This macro is related to potentially identifiable software related to NirSoft. Remove or filter as needed based.", "name": "is_nirsoft_software"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_process_instantiation_via_winrm_and_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_multiple_failed_mfa_requests_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_abuse_of_secret_by_unusual_user_agent_filter"}, {"definition": "sourcetype=\"aws:securityhub:finding\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "aws_securityhub_finding"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_html_help_url_in_command_line_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "certutil_download_with_verifyctl_and_split_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powerview_kerberos_service_ticket_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "exchange_powershell_module_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_disable_shutdown_button_through_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_root_domain_linked_policies_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_gem_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ec2_instance_started_with_previously_unseen_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "prevent_automatic_repair_mode_using_bcdedit_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "access_lsass_memory_for_dump_creation_filter"}, {"definition": "(query=api* AND query = github*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as GitHub", "name": "evilginx_phishlets_github"}, {"definition": "lookup update=true dynamic_dns_providers_default dynamic_dns_domains as url OUTPUTNEW isDynDNS_default | lookup update=true dynamic_dns_providers_local dynamic_dns_domains as url OUTPUTNEW isDynDNS_local| eval isDynDNS = coalesce(isDynDNS_default, isDynDNS_local)|fields - isDynDNS_default, isDynDNS_local| search isDynDNS=True", "description": "This is a description", "name": "dynamic_dns_web_traffic"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_pst_export_alert_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_with_md5_reg_key_name_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_empire_with_powershell_script_block_logging_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_awk_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "github_dependabot_alert_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_dllhost_no_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "email_attachments_with_lots_of_spaces_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_product_spawning_rundll32_with_no_dll_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "hide_user_account_from_sign_in_screen_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_concurrent_sessions_from_different_ips_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_rdp_connection_successful_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_high_file_deletion_frequency_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_user_consent_blocked_for_risky_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "serviceprincipalnames_discovery_with_setspn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_vulnerable_driver_loaded_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_cloud_provisioning_from_previously_unseen_city_filter"}, {"definition": "(query=accounts* AND query=ssl* AND query=www*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as Google", "name": "evilginx_phishlets_google"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_process_injection_remote_thread_filter"}, {"definition": "sourcetype=\"Pwsh:InstalledIISModules\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "iis_get_webglobalmodule"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "monitor_email_for_brand_abuse_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_at_allow_config_file_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_make_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_boot_or_logon_autostart_execution_in_startup_folder_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_disable_security_monitoring_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gsuite_suspicious_shared_file_name_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_rtlo_in_file_name_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "secretdumps_offline_ntds_dumping_tool_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_dnsadmins_new_member_added_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "open_redirect_in_splunk_web_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_usewuserver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powerview_ad_access_control_list_enumeration_filter"}, {"definition": "sourcetype=o365:graph:api", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "o365_graph"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_file_write_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_hosts_connecting_to_dynamic_domain_providers_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_password_policy_changes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_api_calls_from_previously_unseen_user_roles_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_dsrm_password_reset_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_authentication_failed_during_mfa_challenge_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_sqlite3_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_exchange_web_shell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "process_creating_lnk_file_in_suspicious_location_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_remotesigned_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "xsl_script_execution_with_wmic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_get_ciminstance_remote_computer_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_etw_through_registry_filter"}, {"definition": "(query=www* AND query=aws* AND query=console.aws* AND query=signin.aws* AND api-northeast-1.console.aws* AND query=fls-na* AND query=images-na*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as an AWS console", "name": "evilginx_phishlets_aws"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_application_registration_owner_added_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_windows_dns_sigred_via_zeek_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "sql_injection_with_long_urls_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "winrm_spawning_a_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_common_abused_cmd_shell_risk_behavior_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "macos___re_opened_applications_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "attempt_to_add_certificate_to_untrusted_store_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_mshta_renamed_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getwmiobject_ds_group_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_command_shell_fetch_env_variables_filter"}, {"definition": "\"-70m@m\"", "description": "Use this macro to determine how far back you should be checking for new Windows services", "name": "previously_seen_windows_services_window"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_global_administrator_role_assigned_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_wmiobject_group_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_successful_authentication_from_different_ips_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_driver_inventory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_pim_role_assigned_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_abuse_of_secret_by_unusual_location_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_discovery_using_qwinsta_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_multi_factor_authentication_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "revil_common_exec_parameter_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_reflected_xss_in_the_templates_lists_radio_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_number_of_service_control_start_as_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_eks_kubernetes_cluster_sensitive_object_access_filter"}, {"definition": "index=_audit sourcetype=audittrail action=search", "description": "Macro to enable easy searching of audittrail logs for searches", "name": "audit_searches"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_rtlo_in_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_archive_collected_data_via_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_aduser_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_remote_create_service_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "prohibited_network_traffic_allowed_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_multi_factor_authentication_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ryuk_wake_on_lan_command_filter"}, {"definition": "(eventName=AuthorizeSecurityGroupIngress OR eventName=CreateSecurityGroup OR eventName=DeleteSecurityGroup OR eventName=DescribeClusterSecurityGroups OR eventName=DescribeDBSecurityGroups OR eventName=DescribeSecurityGroupReferences OR eventName=DescribeSecurityGroups OR eventName=DescribeStaleSecurityGroups OR eventName=RevokeSecurityGroupIngress OR eventName=UpdateSecurityGroupRuleDescriptionsIngress)", "description": "This macro is a list of AWS event names associated with security groups", "name": "security_group_api_calls"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_user_consent_blocked_for_risky_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_c99_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_registry_payload_injection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "bits_job_persistence_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_aduserresultantpasswordpolicy_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "change_default_file_association_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_defender_asr_registry_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_application_spawn_rundll32_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_successful_single_factor_authentication_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_indicator_removal_via_rmdir_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_foresttrust_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_proxy_via_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_renamed_7_zip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "spoolsv_spawning_rundll32_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unusual_number_of_kerberos_service_tickets_requested_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_possible_access_to_credential_files_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_product_spawn_cmd_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "headless_browser_mockbin_or_mocky_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_path_interception_by_creation_of_program_exe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_file_without_extension_in_critical_folder_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_special_privileged_logon_on_multiple_hosts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_abuse_of_secret_by_unusual_user_name_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_endpoint_denial_of_service_dos_zip_bomb_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_xss_in_save_table_dialog_header_in_search_page_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "malicious_inprocserver32_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_account_manipulation_of_ssh_config_and_keys_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "mimikatz_passtheticket_commandline_parameters_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_export_certificate_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cmd_echo_pipe___escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "services_escalate_exe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "risk_rule_for_dev_sec_ops_by_repository_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_hidden_schedule_task_settings_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "mailsniper_invoke_functions_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_process_file_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_registry_key_modifications_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_process_instantiation_via_wmi_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "large_volume_of_dns_any_queries_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "revil_registry_entry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "dns_query_length_outliers___mltk_filter"}, {"arguments": ["b64in"], "definition": "eval b64x_split=split($b64in$,\"\") | lookup char_conversion_matrix base64char as b64x_split OUTPUT base64bin as b64x_bin | eval b64x_join=mvjoin(b64x_bin,\"\") | rex field=b64x_join \"(?<b64x_by8>.{8})\" max_match=0 | lookup char_conversion_matrix bin as b64x_by8 output ascii as b64x_out | eval $b64in$_decode=mvjoin(b64x_out,\"\") | fields - b64x_* | eval $b64in$_decode = replace(replace($b64in$_decode,\":NUL:\",\"\"),\":SPACE:\",\" \") | rex field=$b64in$_decode mode=sed \"s/\\x00//g\"", "description": "Content based conversion of UTF8/UTF16 based base64 encoding. Not a full implementation, but good enough for context without additional app installation.", "name": "base64decode"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_phishing_pdf_file_executes_url_link_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_deletion_of_cron_jobs_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_creating_thread_mutex_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "creation_of_shadow_copy_with_wmic_and_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_software_download_to_network_device_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_credential_access_failed_login_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_web_traffic_to_dynamic_domain_providers_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "hiding_files_and_directories_with_attrib_exe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_ipv6_network_infrastructure_threats_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_disable_http_logging_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "system_user_discovery_with_whoami_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_no_auto_reboot_with_logon_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_create_kernel_mode_driver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_mailbox_read_access_granted_to_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "samsam_test_file_write_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_abuse_of_secret_by_unusual_user_group_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_registry_sip_provider_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "schtasks_scheduling_job_on_remote_system_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_raw_access_to_disk_volume_partition_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "enable_rdp_in_other_port_number_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wermgr_process_create_executable_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_disablesecuritysettings_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_regsvr32_register_suspicious_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_parent_pid_spoofing_with_explorer_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "citrix_adc_and_gateway_unauthorized_data_disclosure_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_user_consent_denied_for_oauth_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_dd_file_overwrite_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_arp_poisoning_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "steal_or_forge_authentication_certificates_behavior_identified_filter"}, {"definition": "summariesonly=false allow_old_summaries=true fillnull_value=null", "description": "search data model's summaries only", "name": "security_content_summariesonly"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "domain_account_discovery_with_net_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_remote_services_allow_rdp_in_firewall_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "spoolsv_writing_a_dll_filter"}, {"definition": "\"-70m@m\"", "description": "Use this macro to determine how far back you should be checking for new provisioning activities", "name": "previously_unseen_cloud_provisioning_activity_window"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_html_help_spawn_child_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_suspicious_processnames_using_pretrained_model_in_dsdl_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_msbuild_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_dll_search_order_hijacking_with_iscsicpl_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_admon_default_group_policy_object_modified_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excel_spawning_windows_script_host_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_reg_restore_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "system_user_discovery_with_query_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_defender_mpengine_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "extended_period_without_successful_netbackup_backups_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "executables_or_script_creation_in_suspicious_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "active_setup_registry_autostart_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_sip_provider_inventory_filter"}, {"definition": "(Processes.process_name=netsh.exe OR Processes.original_file_name=netsh.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_netsh"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_input_capture_using_credential_ui_dll_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_reg_exe_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35082_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getnettcpconnection_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ms_scripting_process_loading_wmi_module_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_msiexec_remote_download_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_process_instantiation_via_dcom_and_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_php_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "plain_http_post_exfiltrated_data_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_delete_win_defender_context_menu_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_iam_delete_policy_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_network_access_control_list_deleted_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "3cx_supply_chain_attack_network_indicators_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "confluence_unauthenticated_remote_code_execution_cve_2022_26134_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_privileged_account_sid_history_addition_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_csrf_in_the_ssg_kvstore_client_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "web_remote_shellservlet_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_odbcconf_load_response_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_known_graphicalproton_loaded_modules_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_new_mfa_method_registered_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "potentially_malicious_code_on_commandline_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getwmiobject_ds_computer_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "multiple_archive_files_http_post_traffic_filter"}, {"definition": "lookup update=true lookup_rare_process_allow_list_default process as process OUTPUTNEW allow_list | where allow_list=\"false\" | lookup update=true lookup_rare_process_allow_list_local process as process OUTPUT allow_list | where allow_list=\"false\"", "description": "This macro is intended to allow_list processes that have been definied as rare", "name": "filter_rare_process_allow_list"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_exfiltration_via_datasync_task_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_usage_of_cacls_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_product_spawning_wmic_filter"}, {"definition": "index=zeek sourcetype=\"zeek:ssl:json\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "zeek_ssl"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ec2_instance_started_in_previously_unseen_region_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_deletion_in_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_disallow_windows_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_get_localgroup_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kerberos_pre_authentication_flag_disabled_in_useraccountcontrol_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_binary_proxy_execution_mavinject_dll_injection_filter"}, {"definition": "sourcetype = PwSh:bootloader", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "bootloader_inventory"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_wustatusserver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_saml_update_identity_provider_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_disable_windows_event_logging_disable_http_logging_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_exchange_autodiscover_ssrf_abuse_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_high_privilege_role_granted_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_nirsoft_utilities_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "abnormally_high_number_of_cloud_security_group_api_calls_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_disableremotedesktopantialias_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_privileged_authentication_administrator_role_assigned_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_disable_lock_workstation_feature_through_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_file_transfer_protocol_in_non_common_process_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "adobe_coldfusion_unauthenticated_arbitrary_file_read_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "trickbot_named_pipe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "non_firefox_process_access_firefox_profile_dir_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_defense_evasion_impair_security_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_tenant_wide_admin_consent_granted_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_excessive_security_scanning_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_suspicious_user_email_forwarding_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_process_executed_from_container_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_nginx_ingress_lfi_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "abnormally_high_number_of_cloud_infrastructure_api_calls_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "winword_spawning_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_bypass_uac_via_pkgmgr_tool_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unsigned_dll_side_loading_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_rundll32_apply_user_settings_changes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_excessive_authentication_failures_alert_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multiple_users_remotely_failed_to_authenticate_from_host_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_njrat_fileless_storage_via_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remcos_client_registry_install_entry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_steal_authentication_certificates_certificate_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "jscript_execution_using_cscript_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_short_lived_domain_account_serviceprincipalname_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "network_connection_discovery_with_arp_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_spike_in_network_acl_activity_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_snake_malware_file_modification_crmlog_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "github_commit_in_develop_filter"}, {"definition": "(Processes.process_name=psexec.exe OR Processes.process_name=psexec64.exe OR Processes.original_file_name=psexec.c)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_psexec"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_create_policy_version_to_allow_all_resources_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_execute_arbitrary_commands_with_msdt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_multi_factor_authentication_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_curl_upload_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_remote_assistance_spawning_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_moveit_transfer_writing_aspx_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_new_federated_domain_added_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_added_service_principal_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_risk_behavior_filter"}, {"definition": "(Processes.process_name=route.exe OR Processes.original_file_name=route.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_route"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "schtasks_run_task_on_demand_filter"}, {"definition": "source=\"wineventlog:microsoft-windows-printservice/operational\" OR source=\"WinEventLog:Microsoft-Windows-PrintService/Admin\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "printservice"}, {"definition": "search *", "description": "Add customer specific known false positives to the map command used in detection - Potential password in username", "name": "potential_password_in_username_false_positive_reduction"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "control_loading_from_world_writable_directory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "regsvr32_silent_and_install_param_dll_loading_filter"}, {"definition": "(Processes.process_name=setspn.exe OR Processes.original_file_name=setspn.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_setspn"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "modification_of_wallpaper_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "xmrig_driver_loaded_filter"}, {"definition": "index=kubernetes_metrics", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "kubernetes_metrics"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_replication_request_initiated_from_unsanctioned_location_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_lateral_tool_transfer_remcom_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_snake_malware_kernel_driver_comadmin_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_icedid_rundll32_cmdline_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_clipboard_data_via_get_clipboard_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "print_spooler_failed_to_load_a_plug_in_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_code_injection_via_custom_dashboard_leading_to_rce_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "network_share_discovery_via_dir_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_ecr_container_scanning_findings_low_informational_unknown_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_usage_of_sc_service_utility_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_java_spawning_shells_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_unnecessary_file_extensions_allowed_by_lookup_table_uploads_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_phishing_detection_with_fastpass_origin_check_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_azure_pod_scan_fingerprint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_threatinsight_suspected_passwordspray_attack_filter"}, {"definition": "(Processes.process_name=rundll32.exe OR Processes.original_file_name=RUNDLL32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_rundll32"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_possible_append_command_to_at_allow_config_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "winword_spawning_windows_script_host_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_exfiltration_via_batch_service_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "execution_of_file_with_spaces_before_extension_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "csc_net_on_the_fly_compilation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_create_local_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_process_with_namedpipe_commandline_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "allow_network_discovery_in_firewall_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_rapid_authentication_on_multiple_hosts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_domainpolicy_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_mshta_inline_hta_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "enumerate_users_local_group_using_telegram_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "log4shell_jndi_payload_injection_attempt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_java_classes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_system_discovery_with_dsquery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_load_module_in_meterpreter_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_webrequest_using_memory_stream_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_dga_domains_using_pretrained_model_in_dsdl_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_es_dos_investigations_manager_via_investigation_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_email___uba_anomaly_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rundll32_control_rundll_world_writable_directory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_two_or_more_rejected_okta_pushes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rundll32_with_no_command_line_arguments_with_network_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_process_injection_wermgr_child_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_indirect_command_execution_via_pcalua_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_improperly_formatted_parameter_crashes_splunkd_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_disable_windefender_notifications_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_product_writing_cab_or_inf_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gpupdate_with_no_command_line_arguments_with_network_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_automation_account_created_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_number_of_taskhost_processes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "allow_operation_with_consent_admin_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cmdline_tool_not_executed_in_cmd_shell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "web_fraud___anomalous_user_clickspeed_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multiple_users_failed_to_authenticate_from_host_using_ntlm_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_process_instantiation_via_wmi_and_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_indicator_removal_service_file_deletion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_get_local_admin_with_findlocaladminaccess_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_norun_windows_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_process_commandline_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_html_help_renamed_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_fileless_script_contains_base64_encoded_content_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ntdsutil_export_ntds_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wbemprox_com_object_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unusual_count_of_users_remotely_failed_to_auth_from_host_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_detect_permanent_key_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "zeek_x509_certificate_with_punycode_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "icacls_grant_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_createaccesskey_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_digital_certificates_infrastructure_version_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_sql_spawning_certutil_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_azure_detect_service_accounts_forbidden_failure_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_wmi_process_and_service_list_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_possible_access_to_sudoers_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "chcp_command_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getdomaincontroller_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_credentials_from_password_stores_chrome_login_data_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_dns_failures_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_enable_win32_scheduledjob_via_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_computer_account_with_spn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_data_destruction_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_unauthenticated_log_injection_web_service_log_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_instance_modified_by_previously_unseen_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_device_code_authentication_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_rundll32_plugininit_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "recon_using_wmi_class_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "abnormally_high_aws_instances_terminated_by_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "attempted_credential_dump_from_registry_via_reg_exe_filter"}, {"definition": "(eventName = CreateNetworkAcl OR eventName = CreateNetworkAclEntry OR eventName = DeleteNetworkAcl OR eventName = DeleteNetworkAclEntry OR eventName = ReplaceNetworkAclEntry OR eventName = ReplaceNetworkAclAssociation)", "description": "This is a list of AWS event names that are associated with Network ACLs", "name": "network_acl_events"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_service_stop_attempt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_rce_via_user_xslt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "pingid_new_mfa_method_after_credential_reset_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_provisioning_activity_from_previously_unseen_ip_address_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_gcp_detect_most_active_service_accounts_by_pod_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_new_federated_domain_added_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_new_mfa_method_registered_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_aws_console_login_by_user_from_new_city_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_disable_restricted_admin_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "prohibited_software_on_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_domain_admin_impersonation_indicator_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_drivers_loaded_by_signature_filter"}, {"definition": "(Processes.process_name=ping.exe OR Processes.original_file_name=ping.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_ping"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_ecr_container_upload_outside_business_hours_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "lolbas_with_network_traffic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388_filter"}, {"definition": "index=_internal sourcetype=splunkd_ui_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "splunkd_ui"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_createloginprofile_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_cpulimit_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_excessive_account_lockouts_from_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_steal_or_forge_kerberos_tickets_klist_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_setuid_using_setcap_utility_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_raccine_scheduled_task_deletion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_cloud_provisioning_from_previously_unseen_ip_address_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_hardware_addition_swapoff_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_steal_authentication_certificates_certificate_issued_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "local_account_discovery_with_wmic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_network_access_control_list_deleted_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_default_group_policy_object_modified_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_spearphishing_attachment_onenote_spawn_mshta_filter"}, {"definition": "lookup update=true is_suspicious_file_extension_lookup file_name OUTPUT suspicious | search suspicious=true", "description": "This macro limits the output to email attachments that have suspicious extensions", "name": "suspicious_email_attachments"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_digital_certificates_lack_of_encryption_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getadgroup_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_block_user_consent_for_risky_apps_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_create_sliverc2_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_alternate_datastream___base64_content_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "dns_exfiltration_using_nslookup_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_gather_victim_network_info_through_ip_check_web_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_steal_authentication_certificates_certutil_backup_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_threatinsight_login_failure_with_high_unknown_users_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_4104_hunting_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "web_spring4shell_http_request_class_module_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_wevtutil_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "no_windows_updates_in_a_time_frame_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_curl_network_connection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "randomly_generated_scheduled_task_name_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_kubernetes_cluster_pod_scan_detection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_apt_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "macos_lolbin_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_show_compress_color_and_info_tip_registry_filter"}, {"definition": "eval orig_process=process, process=replace(lower(process), \"`\", \"\") | makemv tokenizer=\"([\\w\\d\\-]+)\" process | eval unusual_cmdline_feature_for=if(match(process, \"^for$\"), mvcount(mvfilter(match(process, \"^for$\"))), 0), unusual_cmdline_feature_netsh=if(match(process, \"^netsh$\"), mvcount(mvfilter(match(process, \"^netsh$\"))), 0), unusual_cmdline_feature_readbytes=if(match(process, \"^readbytes$\"), mvcount(mvfilter(match(process, \"^readbytes$\"))), 0), unusual_cmdline_feature_set=if(match(process, \"^set$\"), mvcount(mvfilter(match(process, \"^set$\"))), 0), unusual_cmdline_feature_unrestricted=if(match(process, \"^unrestricted$\"), mvcount(mvfilter(match(process, \"^unrestricted$\"))), 0), unusual_cmdline_feature_winstations=if(match(process, \"^winstations$\"), mvcount(mvfilter(match(process, \"^winstations$\"))), 0), unusual_cmdline_feature_-value=if(match(process, \"^-value$\"), mvcount(mvfilter(match(process, \"^-value$\"))), 0), unusual_cmdline_feature_compression=if(match(process, \"^compression$\"), mvcount(mvfilter(match(process, \"^compression$\"))), 0), unusual_cmdline_feature_server=if(match(process, \"^server$\"), mvcount(mvfilter(match(process, \"^server$\"))), 0), unusual_cmdline_feature_set-mppreference=if(match(process, \"^set-mppreference$\"), mvcount(mvfilter(match(process, \"^set-mppreference$\"))), 0), unusual_cmdline_feature_terminal=if(match(process, \"^terminal$\"), mvcount(mvfilter(match(process, \"^terminal$\"))), 0), unusual_cmdline_feature_-name=if(match(process, \"^-name$\"), mvcount(mvfilter(match(process, \"^-name$\"))), 0), unusual_cmdline_feature_catch=if(match(process, \"^catch$\"), mvcount(mvfilter(match(process, \"^catch$\"))), 0), unusual_cmdline_feature_get-wmiobject=if(match(process, \"^get-wmiobject$\"), mvcount(mvfilter(match(process, \"^get-wmiobject$\"))), 0), unusual_cmdline_feature_hklm=if(match(process, \"^hklm$\"), mvcount(mvfilter(match(process, \"^hklm$\"))), 0), unusual_cmdline_feature_streamreader=if(match(process, \"^streamreader$\"), mvcount(mvfilter(match(process, \"^streamreader$\"))), 0), unusual_cmdline_feature_system32=if(match(process, \"^system32$\"), mvcount(mvfilter(match(process, \"^system32$\"))), 0), unusual_cmdline_feature_username=if(match(process, \"^username$\"), mvcount(mvfilter(match(process, \"^username$\"))), 0), unusual_cmdline_feature_webrequest=if(match(process, \"^webrequest$\"), mvcount(mvfilter(match(process, \"^webrequest$\"))), 0), unusual_cmdline_feature_count=if(match(process, \"^count$\"), mvcount(mvfilter(match(process, \"^count$\"))), 0), unusual_cmdline_feature_webclient=if(match(process, \"^webclient$\"), mvcount(mvfilter(match(process, \"^webclient$\"))), 0), unusual_cmdline_feature_writeallbytes=if(match(process, \"^writeallbytes$\"), mvcount(mvfilter(match(process, \"^writeallbytes$\"))), 0), unusual_cmdline_feature_convert=if(match(process, \"^convert$\"), mvcount(mvfilter(match(process, \"^convert$\"))), 0), unusual_cmdline_feature_create=if(match(process, \"^create$\"), mvcount(mvfilter(match(process, \"^create$\"))), 0), unusual_cmdline_feature_function=if(match(process, \"^function$\"), mvcount(mvfilter(match(process, \"^function$\"))), 0), unusual_cmdline_feature_net=if(match(process, \"^net$\"), mvcount(mvfilter(match(process, \"^net$\"))), 0), unusual_cmdline_feature_com=if(match(process, \"^com$\"), mvcount(mvfilter(match(process, \"^com$\"))), 0), unusual_cmdline_feature_http=if(match(process, \"^http$\"), mvcount(mvfilter(match(process, \"^http$\"))), 0), unusual_cmdline_feature_io=if(match(process, \"^io$\"), mvcount(mvfilter(match(process, \"^io$\"))), 0), unusual_cmdline_feature_system=if(match(process, \"^system$\"), mvcount(mvfilter(match(process, \"^system$\"))), 0), unusual_cmdline_feature_new-object=if(match(process, \"^new-object$\"), mvcount(mvfilter(match(process, \"^new-object$\"))), 0), unusual_cmdline_feature_if=if(match(process, \"^if$\"), mvcount(mvfilter(match(process, \"^if$\"))), 0), unusual_cmdline_feature_threading=if(match(process, \"^threading$\"), mvcount(mvfilter(match(process, \"^threading$\"))), 0), unusual_cmdline_feature_mutex=if(match(process, \"^mutex$\"), mvcount(mvfilter(match(process, \"^mutex$\"))), 0), unusual_cmdline_feature_cryptography=if(match(process, \"^cryptography$\"), mvcount(mvfilter(match(process, \"^cryptography$\"))), 0), unusual_cmdline_feature_computehash=if(match(process, \"^computehash$\"), mvcount(mvfilter(match(process, \"^computehash$\"))), 0)", "description": "Performs the tokenization and application of the malicious commandline classifier", "name": "potentially_malicious_code_on_cmdline_tokenize_score"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "domain_account_discovery_with_dsquery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_insert_kernel_module_using_insmod_utility_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_computer_account_name_change_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_node_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "winhlp32_spawning_a_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_suspect_process_with_authentication_traffic_filter"}, {"definition": "lookup ransomware_notes_lookup ransomware_notes as file_name OUTPUT status as \"Known Ransomware Notes\" | search \"Known Ransomware Notes\"=True", "description": "This macro limits the output to files that have been identified as a ransomware note", "name": "ransomware_notes"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_export_certificate_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_domainpolicy_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_autoit3_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_regasm_with_no_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_qakbot_binary_data_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_uac_remote_restriction_filter"}, {"definition": "sourcetype=PwSh:DriverInventory", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "driverinventory"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wmic_noninteractive_app_uninstallation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "anomalous_usage_of_7zip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_use_of_cmd_exe_to_launch_script_interpreters_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_query_registry_reg_save_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "living_off_the_land_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_non_system_account_targeting_lsass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_vulnerable_3cx_software_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_system_network_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "set_default_powershell_execution_policy_to_unrestricted_or_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_createaccesskey_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "file_with_samsam_extension_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_mail_protocol_in_non_common_process_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_deletion_of_ssl_certificate_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_iam_assume_role_policy_brute_force_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_winlogon_with_public_network_connection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_defense_evasion_delete_cloudwatch_log_group_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_ticket_granting_ticket_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_snake_malware_service_create_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "spring4shell_payload_url_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_stop_via_net__and_sc_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_process_instantiation_via_dcom_and_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_wmi_win32_scheduledjob_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_indirect_command_execution_via_forfiles_filter"}, {"definition": "(Processes.process_name=msbuild.exe OR Processes.original_file_name=MSBuild.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_msbuild"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detection_of_dns_tunnels_filter"}, {"definition": "source=\"WinEventLog:Microsoft-Windows-TaskScheduler/Operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "wineventlog_task_scheduler"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_outlook_exe_writing_a_zip_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_lsa_secrets_nolmhash_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_initiation_on_remote_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "net_profiler_uac_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defenses_disable_win_defender_auto_logging_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "monitor_web_traffic_for_brand_abuse_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_registry_modification_for_safe_mode_persistence_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_change_default_file_association_for_no_file_ext_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wmi_permanent_event_subscription_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_nochangingwallpaper_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "slui_runas_elevated_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_gdb_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "citrix_adc_exploitation_cve_2023_3519_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_disable_or_modify_tools_via_taskkill_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_credential_access_rds_password_reset_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabled_kerberos_pre_authentication_discovery_with_powerview_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_webshell_exploit_behavior_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_gather_victim_identity_sam_info_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getwmiobject_user_account_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_persistent_xss_via_url_validation_bypass_w_dashboard_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_remove_windows_defender_directory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_unauthorized_assets_by_mac_address_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "java_writing_jsp_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_previously_unseen_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_app_layer_protocol_qakbot_namedpipe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_mark_of_the_web_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_process_instantiation_via_winrm_and_winrs_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_account_lockout_events_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_event_for_service_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ws_ftp_remote_code_execution_filter"}, {"definition": "(Processes.process_name=gpupdate.exe OR Processes.original_file_name=GPUpdate.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_gpupdate"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "create_remote_thread_into_lsass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_privileged_role_assigned_to_service_principal_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_multiple_failed_requests_to_access_applications_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_application_drop_executable_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_kworker_process_in_writable_process_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_rclone_command_line_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "msi_module_loaded_by_non_system_binary_filter"}, {"definition": "sourcetype=aws:firehose:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "github"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_same_domain_sid_history_addition_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "allow_inbound_traffic_by_firewall_rule_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_driver_load_non_standard_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_excessive_disabled_services_event_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "registry_keys_used_for_persistence_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_created_within_public_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_defense_evasion_putbucketlifecycle_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_computer_account_created_by_computer_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_exfiltration_over_c2_via_invoke_restmethod_filter"}, {"definition": "eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "wineventlog_security"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_document_executing_macro_code_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "schedule_task_with_http_command_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_process_with_discord_dns_query_filter"}, {"definition": "(Processes.process_name=mshta.exe OR Processes.original_file_name=MSHTA.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_mshta"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_process_with_resource_ratio_anomalies_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_detect_sts_get_session_token_abuse_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_puppet_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "dns_query_requests_resolved_by_unauthorized_dns_servers_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unusual_count_of_users_failed_to_auth_using_kerberos_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_high_number_of_failed_authentications_from_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_adminsdholder_acl_modified_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "fsutil_zeroing_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_possible_ssh_key_file_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_docker_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_steal_authentication_certificates_export_certificate_filter"}, {"definition": "index=netops sourcetype=\"f5:bigip:rogue\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "f5_bigip_rogue"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_applicationimpersonation_role_assigned_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "malicious_powershell_process___execution_policy_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_compute_instance_created_with_previously_unseen_image_filter"}, {"definition": "(Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_wmic"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_multiple_failed_mfa_requests_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_pim_role_assignment_activated_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powerview_spn_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_sudo_or_su_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_es_dos_through_investigation_attachments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_mismatch_between_source_and_response_for_verify_push_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "single_letter_process_on_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_deleting_critical_directory_using_rm_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_do_not_connect_to_win_update_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "slui_spawning_a_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_remote_services_rdp_enable_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getdomaingroup_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_gather_victim_host_information_camera_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_regsvcs_with_network_connection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_successful_console_authentication_from_multiple_ips_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_raw_access_to_master_boot_record_drive_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "dllhost_with_no_command_line_arguments_with_network_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_sqlite3_lsquarantine_behavior_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_dism_remove_defender_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_windows_smartscreen_protection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_wmi_impersonate_token_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "high_frequency_copy_of_files_in_network_share_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "regsvr32_with_known_silent_switch_cmdline_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_time_discovery_w32tm_delay_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ldifde_directory_object_behavior_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_installutil_remote_network_connection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_multi_source_failed_authentications_spike_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_identified_ssl_tls_certificates_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unsuccessful_netbackup_backups_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_access_token_winlogon_duplicate_handle_in_uncommon_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_gnu_awk_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_successful_single_factor_authentication_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "winevent_scheduled_task_created_to_spawn_shell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_suspicious_activity_reported_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "short_lived_scheduled_task_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_dos_using_malformed_saml_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getdomaingroup_with_powershell_filter"}, {"definition": "(source=XmlWinEventLog:Microsoft-Windows-CAPI2/Operational)", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "capi2_operational"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unusual_number_of_computer_service_tickets_requested_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getdomaincontroller_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_hunting_system_account_targeting_lsass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_service_restarted_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_deletion_of_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_disableantispyware_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_papercut_ng_spawn_shell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_rundll32_dllregisterserver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_new_open_gcp_storage_buckets_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_openvpn_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_iis_components_get_webglobalmodule_module_query_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_rundll32_application_control_bypass___advpack_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rundll32_createremotethread_in_browser_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_runbook_webhook_created_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_defense_evasion_delete_cloudtrail_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_find_domain_organizational_units_with_getdomainou_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "dns_query_length_with_high_standard_deviation_filter"}, {"definition": "(query=login* AND query=www*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as Office 365", "name": "evilginx_phishlets_0365"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_systemrestore_in_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "log4shell_jndi_payload_injection_with_outbound_connection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_addefaultdomainpasswordpolicy_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "common_ransomware_notes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defense_delete_win_defender_profile_registry_filter"}, {"definition": "eventtype=\"osquery-process\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "osquery_process"}, {"definition": "(Processes.process_name=dxdiag.exe OR Processes.original_file_name=dxdiag.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_dxdiag"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gsuite_drive_share_in_external_email_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_spike_in_aws_security_hub_alerts_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_image_creation_in_appdata_folder_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "uac_bypass_mmc_load_unsigned_dll_filter"}, {"definition": "sourcetype=aws:cloudtrail", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "cloudtrail"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ms_scripting_process_loading_ldap_module_filter"}, {"definition": "(query=fls-na* AND query = www* AND query=images*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as Amazon", "name": "evilginx_phishlets_amazon"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_mshta_spawn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_odbcconf_load_dll_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "sunburst_correlation_dll_and_network_event_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_process_injection_with_public_source_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powerview_constrained_delegation_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_writes_to_windows_recycle_bin_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_rogue_dhcp_server_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_processing_stream_of_data_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_mimikatz_crypto_export_file_extensions_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "svchost_lolbas_execution_process_spawn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_defender_exclusion_registry_entry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_msiexec_unregister_dllregisterserver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_windows_app_hotkeys_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_remote_user_account_control_filter"}, {"definition": "(Processes.process_name=procdump.exe OR Processes.process_name=procdump64.exe OR Processes.original_file_name=procdump)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_procdump"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_port_security_violation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "create_local_admin_accounts_using_net_exe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "allow_inbound_traffic_in_firewall_rule_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_regsvr32_application_control_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "nishang_powershelltcponeline_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_proxyserver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_network_access_control_list_created_with_all_open_ports_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_wmi_event_subscription_persistence_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_credentials_from_password_stores_query_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_administrative_shares_accessed_on_multiple_hosts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "searchprotocolhost_with_no_command_line_with_network_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_setdefaultpolicyversion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_admin_permission_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "github_actions_disable_security_workflow_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_baron_samedit_cve_2021_3156_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "dsquery_domain_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_kernel_module_enumeration_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "schcache_change_by_app_connect_and_create_adsi_object_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_certipy_file_modifications_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "smb_traffic_spike_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unusual_count_of_users_failed_to_authenticate_using_ntlm_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_admon_group_policy_object_created_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "papercut_ng_remote_web_access_attempt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_certify_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "create_or_delete_windows_shares_using_net_exe_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remcos_rat_file_creation_in_remcos_folder_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detection_of_tools_built_by_nirsoft_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_searchprotocolhost_no_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "pingid_mismatch_auth_source_and_verification_response_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_baron_samedit_cve_2021_3156_segfault_filter"}, {"definition": "(Processes.process_name=regasm.exe OR Processes.original_file_name=RegAsm.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_regasm"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_path_traversal_in_splunk_app_for_lookup_file_edit_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "msbuild_suspicious_spawned_by_script_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_find_interesting_acl_with_findinterestingdomainacl_filter"}, {"definition": "index=_internal sourcetype=investigation_rest_handler", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "splunkd_investigation_rest_handler"}, {"definition": "lookup update=true brandMonitoring_lookup domain as query OUTPUT domain_abuse | search domain_abuse=true", "description": "This macro limits the output to only domains that are in the brand monitoring lookup file", "name": "brand_abuse_dns"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "jetbrains_teamcity_rce_attempt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_credential_dumping_through_lsass_access_filter"}, {"definition": "userAgent=Helm/3.13.2", "description": "Define your user agents which are allowed to connect to your kubernetes cluster.", "name": "kube_allowed_user_agents"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_long_dns_txt_record_response_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "high_number_of_login_failures_from_a_single_source_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_scheduled_task_from_public_directory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "vmware_workspace_one_freemarker_server_side_template_injection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "identify_new_user_accounts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_aws_detect_most_active_service_accounts_by_pod_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_steal_authentication_certificates_cs_backup_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wmi_recon_running_process_or_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "winrar_spawning_shell_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_start_or_stop_service_filter"}, {"definition": "event.parameters{}.multiValue{} IN (\"backup_code\", \"google_authenticator\", \"google_prompt\", \"idv_any_phone\", \"idv_preregistered_phone\", \"internal_two_factor\", \"knowledge_employee_id\", \"knowledge_preregistered_email\", \"login_location\", \"knowledge_preregistered_phone\", \"offline_otp\", \"security_key\", \"security_key_otp\")", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "gws_login_mfa_methods"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "curl_download_and_bash_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_hosts_file_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_risk_threshold_exceeded_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_successful_powershell_authentication_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_registry_bootexecute_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_private_keys_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kerberos_user_enumeration_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "net_localgroup_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "proxyshell_proxynotshell_behavior_detected_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_xss_in_highlighted_json_events_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_common_process_for_elevation_control_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "scheduled_task_deleted_or_created_via_cmd_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_high_number_of_failed_authentications_from_ip_filter"}, {"definition": "\"-70m@m\"", "description": "Use this macro to determine how far back you should be checking for new zoom child processes", "name": "previously_seen_zoom_child_processes_window"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_new_mfa_method_registered_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_steal_authentication_certificates___esc1_authentication_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_proxyenable_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_sharphound_file_modifications_filter"}, {"definition": "index=_internal sourcetype=splunk_web_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "splunkd_webx"}, {"definition": "(Processes.process_name=dllhost.exe OR Processes.original_file_name=dllhost.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_dllhost"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_suspicious_use_of_a_session_cookie_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_add_user_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_spike_in_blocked_outbound_traffic_from_your_aws_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_threatinsight_threat_detected_filter"}, {"definition": "(Processes.process_name=sdelete.exe OR Processes.original_file_name=sdelete.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_sdelete"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "path_traversal_spl_injection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "impacket_lateral_movement_commandline_parameters_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "citrix_sharefile_exploitation_cve_2023_24489_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_attempt_to_disable_services_filter"}, {"definition": "(source=XmlWinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational OR source=XmlWinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational)", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "certificateservices_lifecycle"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_suspicious_admin_email_forwarding_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_using_memory_as_backing_store_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_get_adcomputer_unconstrained_delegation_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_ingress_tool_transfer_hunting_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "petitpotam_network_share_access_request_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_multiple_users_failing_to_authenticate_from_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_preload_hijack_library_calls_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "network_connection_discovery_with_netstat_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_domain_controller_audit_policy_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_defense_evasion_delete_cloudwatch_log_group_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_high_number_of_failed_authentications_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getlocaluser_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rundll32_shimcache_flush_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_concurrent_sessions_from_different_ips_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_aws_api_activities_from_unapproved_accounts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_multiple_failed_mfa_requests_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_logs_using_wevtutil_filter"}, {"definition": "sourcetype=\"zeek:x509:json\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "zeek_x509"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_active_directory_high_risk_sign_in_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ransomware_notes_bulk_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_password_policy_changes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "protocols_passing_authentication_in_cleartext_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "overwriting_accessibility_binaries_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "web_fraud___account_harvesting_filter"}, {"definition": "lookup update=true ransomware_extensions_lookup Extensions AS file_extension OUTPUT Name | search Name !=False", "description": "This macro limits the output to files that have extensions associated with ransomware", "name": "ransomware_extensions"}, {"definition": "sourcetype=\"PwSh:SubjectInterfacePackage\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "subjectinterfacepackage"}, {"definition": "(process_name= \"arp.exe\" OR process_name= \"at.exe\" OR process_name= \"attrib.exe\" OR process_name= \"cscript.exe\" OR process_name= \"dsquery.exe\" OR process_name= \"hostname.exe\" OR process_name= \"ipconfig.exe\" OR process_name= \"mimikatz.exe\" OR process_name= \"nbstat.exe\" OR process_name= \"net.exe\" OR process_name= \"netsh.exe\" OR process_name= \"nslookup.exe\" OR process_name= \"ping.exe\" OR process_name= \"quser.exe\" OR process_name= \"qwinsta.exe\" OR process_name= \"reg.exe\" OR process_name= \"runas.exe\" OR process_name= \"sc.exe\" OR process_name= \"schtasks.exe\" OR process_name= \"ssh.exe\" OR process_name= \"systeminfo.exe\" OR process_name= \"taskkill.exe\" OR process_name= \"telnet.exe\" OR process_name= \"tracert.exe\" OR process_name=\"wscript.exe\" OR process_name= \"xcopy.exe\")", "description": "This macro is a list of process that can be used to discover the network configuration", "name": "system_network_configuration_discovery_tools"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_command_and_scripting_interpreter_delete_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_privileged_object_access_activity_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "f5_tmui_authentication_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_aws_console_login_by_user_from_new_region_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_alternate_datastream___executable_content_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gsuite_email_suspicious_subject_with_attachment_filter"}, {"definition": "(Processes.process_name=certutil.exe OR Processes.original_file_name=CertUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_certutil"}, {"definition": "sourcetype=osquery:results", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "osquery"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_mshta_execution_in_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_msiexec_spawn_windbg_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_multiple_users_failing_to_authenticate_from_ip_filter"}, {"definition": "sourcetype=mscs:azure:audit", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "azure_audit"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_installutil_uninstall_option_with_network_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "protocol_or_port_mismatch_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_suppress_win_defender_notif_filter"}, {"definition": "eventtype=cisco_ios", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "cisco_networks"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_maxconnectionperserver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wmi_permanent_event_subscription___sysmon_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_access_scanning_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_installutil_credential_theft_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_msiexec_spawn_discovery_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_defender_antivirus_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_user_logins_from_multiple_cities_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "email_servers_sending_high_volume_traffic_to_hosts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_cloud_provisioning_from_previously_unseen_region_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "spectre_and_meltdown_vulnerable_systems_filter"}, {"definition": "(Processes.process_name=nltest.exe OR Processes.original_file_name=nltestrk.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_nltest"}, {"definition": "(Processes.process_name=reg.exe OR Processes.original_file_name=reg.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_reg"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "abnormally_high_aws_instances_terminated_by_user___mltk_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_copy_on_system32_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_created_with_suspicious_service_path_filter"}, {"definition": "sourcetype=aws:asl", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "amazon_security_lake"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_com_hijacking_inprocserver32_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_security_account_manager_stopped_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_new_open_s3_buckets_over_aws_cli_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_script_block_with_url_chain_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_file_created_in_kernel_driver_directory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "network_connection_discovery_with_net_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_file_share_discovery_with_powerview_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_usage_of_nslookup_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "circle_ci_disable_security_job_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "process_kill_base_on_file_path_filter"}, {"definition": "(Processes.process_name=microsoft.workflow.compiler.exe OR Processes.original_file_name=Microsoft.Workflow.Compiler.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_microsoftworkflowcompiler"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_steal_authentication_certificates_cryptoapi_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "enable_wdigest_uselogoncredential_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "circle_ci_disable_security_step_filter"}, {"definition": "sourcetype=\"wineventlog:microsoft-windows-wmi-activity/operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "wmi"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_email_attachment_extensions_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_aduserresultantpasswordpolicy_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getwmiobject_ds_group_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "msmpeng_application_dll_side_loading_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getwmiobject_ds_user_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "exploit_public_facing_fortinet_fortinac_cve_2022_39952_filter"}, {"definition": "| inputlookup prohibited_apps_launching_cmd | rename prohibited_applications as parent_process_name | eval parent_process_name=\"*\" . parent_process_name | table parent_process_name", "description": "This macro outputs a list of process that should not be the parent process of cmd.exe", "name": "prohibited_apps_launching_cmd"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unsigned_image_loaded_by_lsass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_lambda_updatefunctioncode_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_wav_file_in_appdata_folder_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ryuk_test_files_detected_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_schedule_task_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_access_token_manipulation_winlogon_duplicate_token_handle_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_loading_dotnet_into_memory_via_reflection_filter"}, {"definition": "sourcetype=azure:monitor:aad", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "azure_monitor_aad"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_mailbox_inbox_folder_shared_with_all_users_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wscript_or_cscript_suspicious_child_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_replication_request_initiated_by_user_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_diskshadow_proxy_execution_filter"}, {"definition": "sourcetype=\"MSWindows:IIS\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "exchange"}, {"definition": "sourcetype=gsuite:gmail:bigquery", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "gsuite_gmail"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "amazon_eks_kubernetes_pod_scan_detection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_dos_via_dump_spl_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_usage_of_taskkill_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_apache_benchmark_binary_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rubeus_kerberos_ticket_exports_through_winlogon_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_new_custom_domain_added_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_concurrent_sessions_from_different_ips_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_detect_users_creating_keys_with_encrypt_policy_without_mfa_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "any_powershell_downloadstring_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "drop_icedid_license_dat_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_file_creation_in_init_boot_directory_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_new_api_calls_from_user_roles_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_windows_defender_exclusion_commands_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_previously_unseen_container_image_name_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_azurehound_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_rundll32_rename_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "verclsid_clsid_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "domain_controller_discovery_with_nltest_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "domain_group_discovery_with_wmic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_gpupdate_no_command_line_arguments_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_dos_via_printf_search_function_filter"}, {"definition": "objectRef.name IN (*splunk*, *falco*)", "description": "Define your images which are allowed to connect to your kubernetes cluster.", "name": "kube_allowed_images"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_user_privilege_discovery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_defender_asr_rule_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_excessive_security_scanning_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "creation_of_shadow_copy_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_mysql_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gcp_unusual_number_of_failed_authentications_from_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_steal_authentication_certificates___esc1_abuse_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "schedule_task_with_rundll32_command_trigger_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "mshtml_module_load_in_office_product_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_cmd_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_pkexec_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "auto_admin_logon_registry_entry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_steal_authentication_certificates_export_pfxcertificate_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "creation_of_lsass_dump_with_taskmgr_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rundll32_dnsquery_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_adding_crontab_using_list_parameter_filter"}, {"definition": "index=_internal sourcetype=splunk_python", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "splunk_python"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rundll32_lockworkstation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_odbcconf_hunting_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_protocol_impersonation_weak_encryption_selfsigned_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_rundll32_application_control_bypass___setupapi_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_high_frequency_of_file_deletion_in_boot_folder_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "okta_failed_sso_attempts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "uninstall_app_using_msiexec_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "fortinet_appliance_auth_bypass_filter"}, {"definition": "sourcetype=stream:tcp", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "stream_tcp"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "mshta_spawning_rundll32_or_regsvr32_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ping_sleep_batch_command_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "w3wp_spawning_shell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_default_icon_setting_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "permission_modification_using_takeown_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "etw_registry_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "scheduled_task_initiation_on_remote_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "process_deleting_its_process_file_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_excessive_user_account_lockouts_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_changes_to_file_associations_filter"}, {"definition": "source=ActiveDirectory", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "admon"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wermgr_process_connecting_to_ip_check_web_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rundll_loading_dll_by_ordinal_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_command_and_scripting_interpreter_path_traversal_exec_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_risky_command_abuse_disclosed_february_2023_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_outbound_ldap_traffic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "hosts_receiving_high_volume_of_network_traffic_from_email_server_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_copy_of_shadowcopy_with_script_block_logging_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_multi_factor_authentication_disabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ngrok_reverse_proxy_on_network_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_masquerading_explorer_as_child_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_gcp_detect_sensitive_role_access_filter"}, {"definition": "sourcetype=\"papercutng\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "papercutng"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "recon_avproduct_through_pwh_or_wmi_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_spearphishing_attachment_connect_to_none_ms_office_domain_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gdrive_suspicious_file_sharing_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_mshta_url_in_command_line_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_possible_cronjob_modification_with_editor_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ec2_instance_started_with_previously_unseen_instance_type_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "deleting_shadow_copies_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_user_discovery_via_quser_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "first_time_seen_running_windows_service_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_account_discovery_drilldown_dashboard_disclosure_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_aws_detect_suspicious_kubectl_calls_filter"}, {"definition": "source=\"kubernetes\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype) for Kubernetes audit data. Replace the macro definition with configurations for your Splunk Environmnent.", "name": "kube_audit"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_defender_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "uncommon_processes_on_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_credentials_from_password_stores_deletion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_installutil_url_in_command_line_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "eventvwr_uac_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_file_on_disk_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_aws_console_login_by_user_from_new_country_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_registry_tool_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "extraction_of_registry_hives_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "confluence_data_center_and_server_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "sdelete_application_execution_filter"}, {"definition": "sourcetype=aws:s3:accesslogs", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "aws_s3_accesslogs"}, {"definition": "index=_audit \"action=login attempt\" \"info=failed\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "splunkd_failed_auths"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "any_powershell_downloadfile_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_folderoptions_windows_feature_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_new_local_admin_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_anomalous_inbound_to_outbound_network_io_ratio_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_msiexec_dllregisterserver_filter"}, {"definition": "lookup update=true dynamic_dns_providers_default dynamic_dns_domains as query OUTPUTNEW isDynDNS_default | lookup update=true dynamic_dns_providers_local dynamic_dns_domains as query OUTPUTNEW isDynDNS_local| eval isDynDNS = coalesce(isDynDNS_default, isDynDNS_local)|fields - isDynDNS_default, isDynDNS_local| search isDynDNS=True", "description": "This macro limits the output of the query field to dynamic dns domains. It looks up the domains in a file provided by Splunk and one intended to be updated by the end user.", "name": "dynamic_dns_providers"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "osquery_pack___coldroot_detection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "processes_launching_netsh_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wsmprovhost_lolbas_execution_process_spawn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_persistence_and_privilege_escalation_risk_behavior_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_curl_upload_to_remote_destination_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_process_running_from_new_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_credential_dumping_lsass_memory_createdump_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multiple_users_fail_to_authenticate_wth_explicitcredentials_filter"}, {"definition": "index=_internal sourcetype=splunkd_ui_access", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "path_traversal_spl_injection"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_provisioning_activity_from_previously_unseen_region_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_mimikatz_using_loaded_images_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "high_process_termination_frequency_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_cross_account_activity_from_previously_unseen_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "elevated_group_discovery_with_wmic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_unix_shell_enable_all_sysrq_functions_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "web_spring_cloud_function_functionrouter_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_rundll32_application_control_bypass___syssetup_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_defense_evasion_stop_logging_cloudtrail_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_regasm_with_network_connection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_disable_memory_crash_dump_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_regsvcs_spawning_a_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "get_foresttrust_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_forest_discovery_with_getforestdomain_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_mimikatz_binary_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_event_log_cleared_filter"}, {"arguments": ["field"], "definition": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)", "description": "convert epoch time to string", "name": "security_content_ctime"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_new_login_attempts_to_routers_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_multiple_denied_mfa_requests_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "silentcleanup_uac_bypass_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_product_spawning_windows_script_host_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cobalt_strike_named_pipes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_creation_on_remote_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_query_registry_browser_list_application_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_powershell_export_pfxcertificate_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_system_discovery_with_wmic_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unusual_number_of_remote_endpoint_authentication_events_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_service_principal_new_client_credentials_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_start_bitstransfer_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "correlation_by_user_and_risk_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "bcdedit_command_back_to_normal_mode_boot_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_access_token_manipulation_sedebugprivilege_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_setuid_using_chmod_utility_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_controlpanel_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_domain_enumeration_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_defender_spynet_reporting_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "office_document_creating_schedule_task_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_sharphound_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "asl_aws_new_mfa_method_registered_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_advanced_audit_disabled_filter"}, {"definition": "lookup update=true is_windows_system_file filename as process_name OUTPUT systemFile | search systemFile=true", "description": "This macro limits the output to process names that are in the Windows System directory", "name": "is_windows_system_file"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_automation_runbook_created_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ms_exchange_mailbox_replication_service_writing_active_server_pages_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_user_execution_malicious_url_shortcut_file_filter"}, {"definition": "sourcetype=\"aws:cloudwatchlogs:eks\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "aws_cloudwatchlogs_eks"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_cross_domain_sid_history_addition_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_install_kernel_module_using_modprobe_utility_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "schtasks_used_for_forcing_a_reboot_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_disable_services_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_ecr_container_scanning_findings_medium_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_rundll32_webdav_with_network_connection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "spoolsv_suspicious_process_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "abnormally_high_aws_instances_launched_by_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_show_hidden_files_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_high_number_of_failed_authentications_for_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_edit_cron_table_parameter_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_gcp_detect_suspicious_kubectl_calls_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_scheduled_task_service_spawned_shell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_malicious_requests_to_exploit_jboss_servers_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "getadcomputer_with_powershell_script_block_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "icedid_exfiltrated_archived_file_creation_filter"}, {"definition": "(Processes.process_name=regsvr32.exe OR Processes.original_file_name=REGSVR32.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_regsvr32"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "bcdedit_failure_recovery_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_decode_base64_to_shell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_installutil_uninstall_option_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "credential_dumping_via_symlink_to_shadow_copy_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_gcp_storage_access_from_a_new_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_azure_detect_rbac_authorization_by_account_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_reflected_xss_on_app_search_table_endpoint_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cmd_carry_out_string_command_parameter_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_windows_behavior_monitoring_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_spike_in_aws_security_hub_alerts_for_ec2_instance_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_s3_exfiltration_behavior_identified_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_ami_atttribute_modification_for_exfiltration_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_linux_discovery_commands_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_azure_detect_suspicious_kubectl_calls_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "process_writing_dynamicwrapperx_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disabling_windows_local_security_authority_defences_via_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_protocol_impersonation_weak_encryption_simplerequest_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "hunting_3cxdesktopapp_software_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_certify_with_powershell_script_block_logging_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "ssl_certificates_with_punycode_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_msbuild_rename_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "spike_in_file_writes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_scanner_image_pulling_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gsuite_email_with_known_abuse_web_service_link_filter"}, {"definition": "(Processes.process_name=curl.exe OR Processes.original_file_name=Curl.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_curl"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rundll32_create_remote_thread_to_a_process_filter"}, {"definition": "sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "sysmon"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "conti_common_exec_parameter_filter"}, {"definition": "(Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"net1.exe\" OR Processes.original_file_name=\"net1.exe\")", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_net"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_detect_sts_assume_role_abuse_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_cloud_provisioning_from_previously_unseen_country_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wmi_temporary_event_subscription_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_application_administrator_role_assigned_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "check_elevated_cmd_using_whoami_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "account_discovery_with_net_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "uac_bypass_with_colorui_com_object_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_distinct_processes_from_windows_temp_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unload_sysmon_filter_driver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gsuite_outbound_email_with_attachment_to_external_domain_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "allow_file_and_printing_sharing_in_firewall_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_service_started_or_enabled_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_microsoft_workflow_compiler_rename_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_deletion_of_init_daemon_script_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_deleted_registry_by_a_non_critical_process_file_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_azure_detect_sensitive_role_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_service_create_with_tscon_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_possible_append_command_to_profile_config_file_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_at_application_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_aws_console_login_by_new_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_defender_asr_block_events_filter"}, {"definition": "sourcetype=MSExchange:management", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "msexchange_management"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_renamed_psexec_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unusually_long_command_line___mltk_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_remote_services_allow_remote_assistance_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_xss_via_view_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_service_principal_created_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "local_account_discovery_with_net_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_impair_defenses_process_kill_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_multiple_users_failing_to_authenticate_from_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_spike_in_security_group_activity_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_f5_tmui_rce_cve_2020_5902_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "juniper_networks_remote_code_execution_exploit_detection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "esentutl_sam_copy_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_system_reboot_via_system_request_key_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_anomalous_inbound_outbound_network_io_filter"}, {"definition": "(Processes.process_name IN (\"sh\", \"ksh\", \"zsh\", \"bash\", \"dash\", \"rbash\", \"fish\", \"csh\", \"tcsh\", \"ion\", \"eshell\"))", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "linux_shells"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_protocol_impersonation_weak_encryption_configuration_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_binary_proxy_execution_compiled_html_file_decompile_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "nltest_domain_trust_discovery_filter"}, {"definition": "index=_audit sourcetype=audittrail", "description": "Macro to enable easy searching of audittrail logs", "name": "audittrail"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "clear_unallocated_sector_using_cipher_app_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_rasautou_dll_execution_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_event_triggered_image_file_execution_options_injection_filter"}, {"definition": "index=*", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "linux_hosts"}, {"definition": "(Processes.process_name=msiexec.exe OR Processes.original_file_name=msiexec.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_msiexec"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_doas_conf_file_creation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_gcp_detect_sensitive_object_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_dll_search_order_hijacking_hunt_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_invoke_wmiexec_usage_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_visudo_utility_execution_filter"}, {"definition": "(Processes.process_name=verclsid.exe OR Processes.original_file_name=verclsid.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_verclsid"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_credentials_from_password_stores_chrome_extension_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "script_execution_via_wmi_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell___connect_to_internet_with_hidden_window_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_outbound_smb_traffic_filter"}, {"definition": "source=\"WinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "remoteconnectionmanager"}, {"definition": "lookup update=true lookup_uncommon_processes_default process_name as process_name outputnew uncommon_default,category_default,analytic_story_default,kill_chain_phase_default,mitre_attack_default | lookup update=true  lookup_uncommon_processes_local process_name as process_name outputnew uncommon_local,category_local,analytic_story_local,kill_chain_phase_local,mitre_attack_local | eval uncommon = coalesce(uncommon_default, uncommon_local), analytic_story = coalesce(analytic_story_default, analytic_story_local), category=coalesce(category_default, category_local), kill_chain_phase=coalesce(kill_chain_phase_default, kill_chain_phase_local), mitre_attack=coalesce(mitre_attack_default, mitre_attack_local) | fields - analytic_story_default, analytic_story_local, category_default, category_local, kill_chain_phase_default, kill_chain_phase_local, mitre_attack_default, mitre_attack_local, uncommon_default, uncommon_local | search uncommon=true", "description": "This macro limits the output to processes that have been marked as uncommon", "name": "uncommon_processes"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kerberos_service_ticket_request_using_rc4_encryption_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_octave_privilege_escalation_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ingress_tool_transfer_using_explorer_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "attacker_tools_on_endpoint_filter"}, {"definition": "index=zeek sourcetype=\"zeek:rpc:json\"", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "zeek_rpc"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "suspicious_writes_to_system_volume_information_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_schtasks_create_run_as_system_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_api_activity_from_users_without_mfa_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_nirsoft_advancedrun_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_large_outbound_icmp_packets_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_user_enumeration_attempt_filter"}, {"definition": "(Processes.process_name=installutil.exe OR Processes.original_file_name=InstallUtil.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_installutil"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_uac_bypass_suspicious_escalation_behavior_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "7zip_commandline_to_smb_share_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_short_lived_server_object_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_change_file_owner_to_root_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_psexec_with_accepteula_flag_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "excessive_file_deletion_in_windefender_folder_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_scheduled_task_with_highest_privileges_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_defense_evasion_update_cloudtrail_filter"}, {"definition": "sourcetype=gsuite:calendar:json", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "gsuite_calendar"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_nginx_ingress_rfi_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "interactive_session_on_remote_endpoint_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_local_administrator_credential_stuffing_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_disable_mfa_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_concurrent_sessions_from_different_ips_filter"}, {"definition": "lookup update=true brandMonitoring_lookup domain as urls OUTPUT domain_abuse | search domain_abuse=true", "description": "This macro limits the output to only domains that are in the brand monitoring lookup file", "name": "brand_abuse_web"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "powershell_remote_services_add_trustedhost_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_system_shutdown_commandline_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "active_directory_lateral_movement_identified_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_abnormal_object_access_activity_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "reg_exe_used_to_hide_files_directories_via_registry_keys_filter"}, {"definition": "(query=www* AND query = m* AND query=static*)", "description": "This limits the query fields to domains that are associated with evilginx masquerading as FaceBook", "name": "evilginx_phishlets_facebook"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_dll_search_order_hijacking_hunt_with_sysmon_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_short_lived_domain_controller_spn_attribute_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_ec2_snapshot_shared_externally_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_unusual_number_of_failed_authentications_from_ip_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_impair_defenses_disable_hvci_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_desktop_process_running_on_system_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_windbg_spawning_autoit3_filter"}, {"definition": "sourcetype=stream:dns", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "stream_dns"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_add_app_role_assignment_grant_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_sid_history_attribute_modified_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "unloading_amsi_via_reflection_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_exfiltration_via_bucket_replication_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "rundll32_process_creating_exe_dll_files_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "web_jsp_request_via_url_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "cloud_compute_instance_created_by_previously_unseen_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_disable_change_password_through_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_iptables_firewall_modification_filter"}, {"definition": "(Processes.process_name=hh.exe OR Processes.original_file_name=HH.EXE)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_hh"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "supernova_webshell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_oauth_application_consent_granted_by_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_multiple_appids_and_useragents_authentication_spike_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "splunk_stored_xss_via_data_model_objectname_field_filter"}, {"definition": "(Processes.process_name=runas.exe OR Processes.original_file_name=runas.exe)", "description": "Matches the process with its original file name, data for this macro came from https://strontic.github.io/", "name": "process_runas"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_phishing_recent_iso_exec_registry_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_terminating_lsass_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_possible_credential_dumping_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "spoolsv_writing_a_dll___sysmon_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "mmc_lolbas_execution_process_spawn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_modify_registry_wuserver_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_proxy_socks_curl_filter"}, {"definition": "sourcetype=kube:objects:events", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "kube_objects_events"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "disable_defender_blockatfirstseen_feature_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "wmic_xsl_execution_via_url_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "gsuite_suspicious_calendar_invite_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_replication_through_removable_media_filter"}, {"definition": "eventtype=okta_log", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "okta"}, {"definition": "Country=\"United States\"", "description": "Define your locations which are allowed to connect to your kubernetes cluster.", "name": "kube_allowed_loactions"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_ad_dsrm_account_changes_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "linux_ssh_authorized_keys_modification_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "azure_ad_tenant_wide_admin_consent_granted_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_windows_dns_sigred_via_splunk_stream_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_installutil_in_non_standard_path_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_spike_in_s3_bucket_deletion_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "detect_azurehound_file_modifications_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "firewall_allowed_program_enable_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multiple_users_failed_to_authenticate_from_process_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "o365_excessive_sso_logon_errors_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "kubernetes_gcp_detect_service_accounts_forbidden_failure_access_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "scheduled_tasks_used_in_badrabbit_ransomware_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "windows_multiple_disabled_users_failed_to_authenticate_wth_kerberos_filter"}, {"definition": "index=_internal sourcetype=splunkd", "description": "customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.", "name": "splunkd"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "aws_ecr_container_upload_unknown_user_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "delete_shadowcopy_with_powershell_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "potential_password_in_username_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "possible_lateral_movement_powershell_spawn_filter"}, {"definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "name": "remote_process_instantiation_via_winrm_and_powershell_filter"}]}
\ No newline at end of file
diff --git a/dist/api/stories.json b/dist/api/stories.json
index 96aaab7eb7..508698db7c 100644
--- a/dist/api/stories.json
+++ b/dist/api/stories.json
@@ -1 +1 @@
-{"stories": [{"name": "3CX Supply Chain Attack", "author": "Michael Haag, Splunk", "date": "2023-03-30", "version": 1, "id": "c4d7618c-73a7-4f7c-8071-060c36850785", "description": "On March 29, 2023, CrowdStrike Falcon OverWatch observed unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp,  a softphone application from 3CX. The malicious activity includes beaconing to actor controlled infrastructure, deployment of second stage payloads, and, in a small number of cases, hands on keyboard activity. (CrowdStrike)", "narrative": "On March 22, 2023, cybersecurity firm SentinelOne observed a surge in behavioral detections of trojanized 3CXDesktopApp installers, a popular PABX voice and video conferencing software. The multi-stage attack chain, which automatically quarantines trojanized installers, involves downloading ICO files with base64 data from GitHub and eventually leads to a 3rd stage infostealer DLL that is still under analysis. While the Mac installer remains unconfirmed as trojanized, ongoing investigations are also examining other potentially compromised applications, such as Chrome extensions. The threat actor behind the supply chain compromise, which started in February 2022, has used a code signing certificate to sign the trojanized binaries, but connections to existing threat clusters remain unclear. SentinelOne updated their IOCs on March 30th, 2023, with contributions from the research community and continues to monitor the situation for further developments. 3CX identified the vulnerability in the recent versions 18.12.407 and 18.12.416 for the desktop app. A new certificate for the app will also be produced.", "references": ["https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/", "https://www.cisa.gov/news-events/alerts/2023/03/30/supply-chain-attack-against-3cxdesktopapp", "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/", "https://www.3cx.com/community/threads/crowdstrike-endpoint-security-detection-re-3cx-desktop-app.119934/page-2#post-558898", "https://www.3cx.com/community/threads/3cx-desktopapp-security-alert.119951/", "https://www.elastic.co/security-labs/elastic-users-protected-from-suddenicon-supply-chain-attack", "https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/"], "tags": {"name": "3CX Supply Chain Attack", "analytic_story": "3CX Supply Chain Attack", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1195.002", "mitre_attack_technique": "Compromise Software Supply Chain", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT41", "Cobalt Group", "Dragonfly", "FIN7", "GOLD SOUTHFIELD", "Sandworm Team", "Threat Group-3390"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Credential Access", "Initial Access"], "datamodels": ["Endpoint", "Network_Resolution"], "kill_chain_phases": ["Delivery", "Exploitation"]}, "detection_names": ["ESCU - 3CX Supply Chain Attack Network Indicators - Rule", "ESCU - Hunting 3CXDesktopApp Software - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Windows Vulnerable 3CX Software - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "3CX Supply Chain Attack Network Indicators", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Software Supply Chain"}]}}, {"name": "Hunting 3CXDesktopApp Software", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Software Supply Chain"}]}}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}}, {"name": "Windows Vulnerable 3CX Software", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Software Supply Chain"}]}}]}, {"name": "IcedID", "author": "Teoderick Contreras, Splunk", "date": "2021-07-29", "version": 1, "id": "1d2cc747-63d7-49a9-abb8-93aa36305603", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the IcedID banking trojan, including looking for file writes associated with its payload, process injection, shellcode execution and data collection.", "narrative": "IcedId banking trojan campaigns targeting banks and other vertical sectors.This malware is known in Microsoft Windows OS targetting browser such as firefox and chrom to steal banking information. It is also known to its unique payload downloaded in C2 where it can be a .png file that hides the core shellcode bot using steganography technique or gzip dat file that contains \"license.dat\" which is the actual core icedid bot.", "references": ["https://threatpost.com/icedid-banking-trojan-surges-emotet/165314/", "https://app.any.run/tasks/48414a33-3d66-4a46-afe5-c2003bb55ccf/"], "tags": {"name": "IcedID", "analytic_story": "IcedID", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN13", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA2541", "TA551"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "FIN13", "TA505"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1135", "mitre_attack_technique": "Network Share Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT32", "APT38", "APT39", "APT41", "Chimera", "DarkVishnya", "Dragonfly", "FIN13", "Sowbug", "Tonto Team", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1566.002", "mitre_attack_technique": "Spearphishing Link", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1005", "mitre_attack_technique": "Data from Local System", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT3", "APT37", "APT38", "APT39", "APT41", "Andariel", "Axiom", "BRONZE BUTLER", "CURIUM", "Dark Caracal", "Dragonfly", "FIN13", "FIN6", "FIN7", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HAFNIUM", "Inception", "Ke3chang", "Kimsuky", "LAPSUS$", "Lazarus Group", "LuminousMoth", "Magic Hound", "Patchwork", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Turla", "Volt Typhoon", "Windigo", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "TEMP.Veles", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Collection", "Command And Control", "Defense Evasion", "Discovery", "Execution", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command And Control", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Account Discovery With Net App - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - CHCP Command Execution - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Create Remote Thread In Shell Application - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Disable Defender AntiVirus Registry - Rule", "ESCU - Disable Defender BlockAtFirstSeen Feature - Rule", "ESCU - Disable Defender Enhanced Notification - Rule", "ESCU - Disable Defender MpEngine Registry - Rule", "ESCU - Disable Defender Spynet Reporting - Rule", "ESCU - Disable Defender Submit Samples Consent Feature - Rule", "ESCU - Disable Schedule Task - Rule", "ESCU - Disabling Defender Services - Rule", "ESCU - Drop IcedID License dat - Rule", "ESCU - Eventvwr UAC Bypass - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - FodHelper UAC Bypass - Rule", "ESCU - IcedID Exfiltrated Archived File Creation - Rule", "ESCU - Mshta spawning Rundll32 OR Regsvr32 Process - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Share Discovery Via Dir Command - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Office Application Spawn Regsvr32 process - Rule", "ESCU - Office Application Spawn rundll32 process - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawning MSHTA - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - Powershell Processing Stream Of Data - Rule", "ESCU - Powershell Using memory As Backing Store - Rule", "ESCU - Process Creating LNK file in Suspicious Location - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Remote System Discovery with Net - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Rundll32 Create Remote Thread To A Process - Rule", "ESCU - Rundll32 CreateRemoteThread In Browser - Rule", "ESCU - Rundll32 DNSQuery - Rule", "ESCU - Rundll32 Process Creating Exe Dll Files - Rule", "ESCU - RunDLL Loading DLL By Ordinal - Rule", "ESCU - Schedule Task with Rundll32 Command Trigger - Rule", "ESCU - Sqlite Module In Temp Folder - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Suspicious IcedID Rundll32 Cmdline - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Rundll32 dllregisterserver - Rule", "ESCU - Suspicious Rundll32 PluginInit - Rule", "ESCU - Windows AdFind Exe - Rule", "ESCU - Windows Curl Download to Suspicious Path - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Windows WMI Process Call Create - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule", "ESCU - Wmic NonInteractive App Uninstallation - Rule"], "investigation_names": [], "baseline_names": ["ESCU - Previously seen command line arguments"], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Account Discovery With Net App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "CHCP Command Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Create Remote Thread In Shell Application", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Disable Defender AntiVirus Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender BlockAtFirstSeen Feature", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender Enhanced Notification", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender MpEngine Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender Spynet Reporting", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender Submit Samples Consent Feature", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Schedule Task", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disabling Defender Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Drop IcedID License dat", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "User Execution"}, {"mitre_attack_technique": "Malicious File"}]}}, {"name": "Eventvwr UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "FodHelper UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}, {"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "IcedID Exfiltrated Archived File Creation", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}}, {"name": "Mshta spawning Rundll32 OR Regsvr32 Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}}, {"name": "Network Connection Discovery With Arp", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Network Share Discovery Via Dir Command", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Network Share Discovery"}]}}, {"name": "NLTest Domain Trust Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Trust Discovery"}]}}, {"name": "Office Application Spawn Regsvr32 process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Application Spawn rundll32 process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning MSHTA", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Processing Stream Of Data", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Using memory As Backing Store", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Process Creating LNK file in Suspicious Location", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Link"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Remote System Discovery with Net", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Remote WMI Command Attempt", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Rundll32 Create Remote Thread To A Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Rundll32 CreateRemoteThread In Browser", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Rundll32 DNSQuery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Rundll32 Process Creating Exe Dll Files", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "RunDLL Loading DLL By Ordinal", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Schedule Task with Rundll32 Command Trigger", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Sqlite Module In Temp Folder", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data from Local System"}]}}, {"name": "Suspicious Copy on System32", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "Masquerading"}]}}, {"name": "Suspicious IcedID Rundll32 Cmdline", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious Rundll32 dllregisterserver", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Suspicious Rundll32 PluginInit", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Windows AdFind Exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Windows Curl Download to Suspicious Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Malicious Link"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Windows WMI Process Call Create", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Wmic NonInteractive App Uninstallation", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}]}, {"name": "Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring", "author": "Matthew Moore, Patrick Bareiss, Splunk", "date": "2024-01-08", "version": 1, "id": "7589023b-3d98-42b3-ab1c-bb498e68fc2d", "description": "Kubernetes, a complex container orchestration system, is susceptible to a variety of security threats. This story delves into the different strategies and methods adversaries employ to exploit Kubernetes environments. These include attacks on the control plane, exploitation of misconfigurations, and breaches of containerized applications. Observability data, such as metrics, play a crucial role in identifying abnormal and potentially malicious behavior within these environments.", "narrative": "Kubernetes, a complex container orchestration system, is a prime target for adversaries due to its widespread use and inherent complexity. This story focuses on the abnormal behavior within Kubernetes environments that can be indicative of security threats. Key areas of concern include the control plane, worker nodes, and network communication, all of which can be exploited by attackers. Observability data, such as metrics, play a crucial role in identifying these abnormal behaviors. These behaviors could be a result of attacks on the control plane, exploitation of misconfigurations, or breaches of containerized applications. For instance, attackers may attempt to exploit vulnerabilities in the Kubernetes API, misconfigured containers, or insecure network policies. The control plane, which manages cluster operations, is a prime target and its compromise can give attackers control over the entire cluster. Worker nodes, which run the containerized applications, can also be targeted to disrupt services or to gain access to sensitive data.", "references": ["https://kubernetes.io/docs/concepts/security/", "https://splunkbase.splunk.com/app/5247"], "tags": {"name": "Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring", "analytic_story": "Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}], "mitre_attack_tactics": ["Execution"], "datamodels": [], "kill_chain_phases": ["Installation"]}, "detection_names": ["ESCU - Kubernetes Anomalous Inbound Outbound Network IO - Rule", "ESCU - Kubernetes Anomalous Inbound to Outbound Network IO Ratio - Rule", "ESCU - Kubernetes Previously Unseen Container Image Name - Rule", "ESCU - Kubernetes Process Running From New Path - Rule", "ESCU - Kubernetes Process with Anomalous Resource Utilisation - Rule", "ESCU - Kubernetes Process with Resource Ratio Anomalies - Rule", "ESCU - Kubernetes Shell Running on Worker Node - Rule", "ESCU - Kubernetes Shell Running on Worker Node with CPU Activity - Rule"], "investigation_names": [], "baseline_names": ["ESCU - Baseline Of Kubernetes Container Network IO", "ESCU - Baseline Of Kubernetes Container Network IO Ratio", "ESCU - Baseline Of Kubernetes Process Resource", "ESCU - Baseline Of Kubernetes Process Resource Ratio"], "author_company": "Patrick Bareiss, Splunk", "author_name": "Matthew Moore", "detections": [{"name": "Kubernetes Anomalous Inbound Outbound Network IO", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "User Execution"}]}}, {"name": "Kubernetes Anomalous Inbound to Outbound Network IO Ratio", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "User Execution"}]}}, {"name": "Kubernetes Previously Unseen Container Image Name", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "User Execution"}]}}, {"name": "Kubernetes Process Running From New Path", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "User Execution"}]}}, {"name": "Kubernetes Process with Anomalous Resource Utilisation", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "User Execution"}]}}, {"name": "Kubernetes Process with Resource Ratio Anomalies", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "User Execution"}]}}, {"name": "Kubernetes Shell Running on Worker Node", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "User Execution"}]}}, {"name": "Kubernetes Shell Running on Worker Node with CPU Activity", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "User Execution"}]}}]}, {"name": "AcidRain", "author": "Teoderick Contreras, Splunk", "date": "2022-04-12", "version": 1, "id": "c68717c6-4938-434b-987c-e1ce9d516124", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the acidrain malware including deleting of files and etc. AcidRain is an ELF MIPS malware specifically designed to wipe modems and routers. The complete list of targeted devices is unknown at this time, but WatchGuard FireBox has specifically been listed as a target. This malware is capable of wiping and deleting non-standard linux files and overwriting storage device files that might related to router, ssd card and many more.", "narrative": "Adversaries may use this technique to maximize the impact on the target organization in operations where network wide availability interruption is the goal.", "references": ["https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/"], "tags": {"name": "AcidRain", "analytic_story": "AcidRain", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TEMP.Veles", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}], "mitre_attack_tactics": ["Defense Evasion", "Impact"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"]}, "detection_names": ["ESCU - Linux Deletion Of Cron Jobs - Rule", "ESCU - Linux Deletion Of Init Daemon Script - Rule", "ESCU - Linux Deletion Of Services - Rule", "ESCU - Linux High Frequency Of File Deletion In Etc Folder - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux Deletion Of Cron Jobs", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Linux Deletion Of Init Daemon Script", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Linux Deletion Of Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Linux High Frequency Of File Deletion In Etc Folder", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}]}, {"name": "Active Directory Discovery", "author": "Mauricio Velazco, Splunk", "date": "2021-08-20", "version": 1, "id": "8460679c-2b21-463e-b381-b813417c32f2", "description": "Monitor for activities and techniques associated with Discovery and Reconnaissance within with Active Directory environments.", "narrative": "Discovery consists of techniques an adversay uses to gain knowledge about an internal environment or network. These techniques provide adversaries with situational awareness and allows them to have the necessary information before deciding how to act or who/what to target next.\\\nOnce an attacker obtains an initial foothold in an Active Directory environment, she is forced to engage in Discovery techniques in the initial phases of a breach to better understand and navigate the target network. Some examples include but are not limited to enumerating domain users, domain admins, computers, domain controllers, network shares, group policy objects, domain trusts, etc.", "references": ["https://attack.mitre.org/tactics/TA0007/", "https://adsecurity.org/?p=2535", "https://attack.mitre.org/techniques/T1087/001/", "https://attack.mitre.org/techniques/T1087/002/", "https://attack.mitre.org/techniques/T1087/003/", "https://attack.mitre.org/techniques/T1482/", "https://attack.mitre.org/techniques/T1201/", "https://attack.mitre.org/techniques/T1069/001/", "https://attack.mitre.org/techniques/T1069/002/", "https://attack.mitre.org/techniques/T1018/", "https://attack.mitre.org/techniques/T1049/", "https://attack.mitre.org/techniques/T1033/"], "tags": {"name": "Active Directory Discovery", "analytic_story": "Active Directory Discovery", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "FIN13", "TA505"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "FIN7", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla", "Volt Typhoon"]}, {"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1016.001", "mitre_attack_technique": "Internet Connection Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT29", "FIN13", "FIN8", "Gamaredon Group", "HAFNIUM", "HEXANE", "Magic Hound", "TA2541", "Turla"]}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1135", "mitre_attack_technique": "Network Share Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT32", "APT38", "APT39", "APT41", "Chimera", "DarkVishnya", "Dragonfly", "FIN13", "Sowbug", "Tonto Team", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1570", "mitre_attack_technique": "Lateral Tool Transfer", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT32", "Aoqin Dragon", "Chimera", "FIN10", "GALLIUM", "Magic Hound", "Sandworm Team", "Turla", "Volt Typhoon", "Wizard Spider"]}, {"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "Chimera", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "Volt Typhoon", "Wizard Spider"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Discovery", "Execution", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - AdsiSearcher Account Discovery - Rule", "ESCU - Domain Account Discovery with Dsquery - Rule", "ESCU - Domain Account Discovery With Net App - Rule", "ESCU - Domain Account Discovery with Wmic - Rule", "ESCU - Domain Controller Discovery with Nltest - Rule", "ESCU - Domain Controller Discovery with Wmic - Rule", "ESCU - Domain Group Discovery with Adsisearcher - Rule", "ESCU - Domain Group Discovery With Dsquery - Rule", "ESCU - Domain Group Discovery With Net - Rule", "ESCU - Domain Group Discovery With Wmic - Rule", "ESCU - DSQuery Domain Discovery - Rule", "ESCU - Elevated Group Discovery With Net - Rule", "ESCU - Elevated Group Discovery with PowerView - Rule", "ESCU - Elevated Group Discovery With Wmic - Rule", "ESCU - Get ADDefaultDomainPasswordPolicy with Powershell - Rule", "ESCU - Get ADDefaultDomainPasswordPolicy with Powershell Script Block - Rule", "ESCU - Get ADUser with PowerShell - Rule", "ESCU - Get ADUser with PowerShell Script Block - Rule", "ESCU - Get ADUserResultantPasswordPolicy with Powershell - Rule", "ESCU - Get ADUserResultantPasswordPolicy with Powershell Script Block - Rule", "ESCU - Get DomainPolicy with Powershell - Rule", "ESCU - Get DomainPolicy with Powershell Script Block - Rule", "ESCU - Get-DomainTrust with PowerShell - Rule", "ESCU - Get-DomainTrust with PowerShell Script Block - Rule", "ESCU - Get DomainUser with PowerShell - Rule", "ESCU - Get DomainUser with PowerShell Script Block - Rule", "ESCU - Get-ForestTrust with PowerShell - Rule", "ESCU - Get-ForestTrust with PowerShell Script Block - Rule", "ESCU - Get WMIObject Group Discovery - Rule", "ESCU - Get WMIObject Group Discovery with Script Block Logging - Rule", "ESCU - GetAdComputer with PowerShell - Rule", "ESCU - GetAdComputer with PowerShell Script Block - Rule", "ESCU - GetAdGroup with PowerShell - Rule", "ESCU - GetAdGroup with PowerShell Script Block - Rule", "ESCU - GetCurrent User with PowerShell - Rule", "ESCU - GetCurrent User with PowerShell Script Block - Rule", "ESCU - GetDomainComputer with PowerShell - Rule", "ESCU - GetDomainComputer with PowerShell Script Block - Rule", "ESCU - GetDomainController with PowerShell - Rule", "ESCU - GetDomainController with PowerShell Script Block - Rule", "ESCU - GetDomainGroup with PowerShell - Rule", "ESCU - GetDomainGroup with PowerShell Script Block - Rule", "ESCU - GetLocalUser with PowerShell - Rule", "ESCU - GetLocalUser with PowerShell Script Block - Rule", "ESCU - GetNetTcpconnection with PowerShell - Rule", "ESCU - GetNetTcpconnection with PowerShell Script Block - Rule", "ESCU - GetWmiObject Ds Computer with PowerShell - Rule", "ESCU - GetWmiObject Ds Computer with PowerShell Script Block - Rule", "ESCU - GetWmiObject Ds Group with PowerShell - Rule", "ESCU - GetWmiObject Ds Group with PowerShell Script Block - Rule", "ESCU - GetWmiObject DS User with PowerShell - Rule", "ESCU - GetWmiObject DS User with PowerShell Script Block - Rule", "ESCU - GetWmiObject User Account with PowerShell - Rule", "ESCU - GetWmiObject User Account with PowerShell Script Block - Rule", "ESCU - Local Account Discovery with Net - Rule", "ESCU - Local Account Discovery With Wmic - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Connection Discovery With Net - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Network Discovery Using Route Windows App - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Password Policy Discovery with Net - Rule", "ESCU - PowerShell Get LocalGroup Discovery - Rule", "ESCU - Powershell Get LocalGroup Discovery with Script Block Logging - Rule", "ESCU - Remote System Discovery with Adsisearcher - Rule", "ESCU - Remote System Discovery with Dsquery - Rule", "ESCU - Remote System Discovery with Net - Rule", "ESCU - Remote System Discovery with Wmic - Rule", "ESCU - ServicePrincipalNames Discovery with PowerShell - Rule", "ESCU - ServicePrincipalNames Discovery with SetSPN - Rule", "ESCU - System User Discovery With Query - Rule", "ESCU - System User Discovery With Whoami - Rule", "ESCU - User Discovery With Env Vars PowerShell - Rule", "ESCU - User Discovery With Env Vars PowerShell Script Block - Rule", "ESCU - Windows AD Abnormal Object Access Activity - Rule", "ESCU - Windows AD Privileged Object Access Activity - Rule", "ESCU - Windows File Share Discovery With Powerview - Rule", "ESCU - Windows Find Domain Organizational Units with GetDomainOU - Rule", "ESCU - Windows Find Interesting ACL with FindInterestingDomainAcl - Rule", "ESCU - Windows Forest Discovery with GetForestDomain - Rule", "ESCU - Windows Get Local Admin with FindLocalAdminAccess - Rule", "ESCU - Windows Hidden Schedule Task Settings - Rule", "ESCU - Windows Lateral Tool Transfer RemCom - Rule", "ESCU - Windows Linked Policies In ADSI Discovery - Rule", "ESCU - Windows PowerView AD Access Control List Enumeration - Rule", "ESCU - Windows Root Domain linked policies Discovery - Rule", "ESCU - Windows Service Create RemComSvc - Rule", "ESCU - Windows Suspect Process With Authentication Traffic - Rule", "ESCU - Wmic Group Discovery - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "AdsiSearcher Account Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Domain Account Discovery with Dsquery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Domain Account Discovery With Net App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Domain Account Discovery with Wmic", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Domain Controller Discovery with Nltest", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Domain Controller Discovery with Wmic", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Domain Group Discovery with Adsisearcher", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "Domain Group Discovery With Dsquery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "Domain Group Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "Domain Group Discovery With Wmic", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "DSQuery Domain Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Trust Discovery"}]}}, {"name": "Elevated Group Discovery With Net", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "Elevated Group Discovery with PowerView", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "Elevated Group Discovery With Wmic", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "Get ADDefaultDomainPasswordPolicy with Powershell", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Policy Discovery"}]}}, {"name": "Get ADDefaultDomainPasswordPolicy with Powershell Script Block", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Policy Discovery"}]}}, {"name": "Get ADUser with PowerShell", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Get ADUser with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Get ADUserResultantPasswordPolicy with Powershell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Policy Discovery"}]}}, {"name": "Get ADUserResultantPasswordPolicy with Powershell Script Block", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Policy Discovery"}]}}, {"name": "Get DomainPolicy with Powershell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Policy Discovery"}]}}, {"name": "Get DomainPolicy with Powershell Script Block", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Policy Discovery"}]}}, {"name": "Get-DomainTrust with PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Trust Discovery"}]}}, {"name": "Get-DomainTrust with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Trust Discovery"}]}}, {"name": "Get DomainUser with PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Get DomainUser with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Get-ForestTrust with PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Trust Discovery"}]}}, {"name": "Get-ForestTrust with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Trust Discovery"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Get WMIObject Group Discovery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}}, {"name": "Get WMIObject Group Discovery with Script Block Logging", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}}, {"name": "GetAdComputer with PowerShell", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "GetAdComputer with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "GetAdGroup with PowerShell", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "GetAdGroup with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "GetCurrent User with PowerShell", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Owner/User Discovery"}]}}, {"name": "GetCurrent User with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Owner/User Discovery"}]}}, {"name": "GetDomainComputer with PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "GetDomainComputer with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "GetDomainController with PowerShell", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "GetDomainController with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "GetDomainGroup with PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "GetDomainGroup with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "GetLocalUser with PowerShell", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}]}}, {"name": "GetLocalUser with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "GetNetTcpconnection with PowerShell", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "GetNetTcpconnection with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "GetWmiObject Ds Computer with PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "GetWmiObject Ds Computer with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "GetWmiObject Ds Group with PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "GetWmiObject Ds Group with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "GetWmiObject DS User with PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "GetWmiObject DS User with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "GetWmiObject User Account with PowerShell", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}]}}, {"name": "GetWmiObject User Account with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Local Account Discovery with Net", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}]}}, {"name": "Local Account Discovery With Wmic", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}]}}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}}, {"name": "Network Connection Discovery With Arp", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Network Connection Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Network Discovery Using Route Windows App", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Internet Connection Discovery"}]}}, {"name": "NLTest Domain Trust Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Trust Discovery"}]}}, {"name": "Password Policy Discovery with Net", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Policy Discovery"}]}}, {"name": "PowerShell Get LocalGroup Discovery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}}, {"name": "Powershell Get LocalGroup Discovery with Script Block Logging", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}}, {"name": "Remote System Discovery with Adsisearcher", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Remote System Discovery with Dsquery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Remote System Discovery with Net", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Remote System Discovery with Wmic", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "ServicePrincipalNames Discovery with PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "ServicePrincipalNames Discovery with SetSPN", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "System User Discovery With Query", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Owner/User Discovery"}]}}, {"name": "System User Discovery With Whoami", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Owner/User Discovery"}]}}, {"name": "User Discovery With Env Vars PowerShell", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Owner/User Discovery"}]}}, {"name": "User Discovery With Env Vars PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Owner/User Discovery"}]}}, {"name": "Windows AD Abnormal Object Access Activity", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Account"}]}}, {"name": "Windows AD Privileged Object Access Activity", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Account"}]}}, {"name": "Windows File Share Discovery With Powerview", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Network Share Discovery"}]}}, {"name": "Windows Find Domain Organizational Units with GetDomainOU", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Account"}]}}, {"name": "Windows Find Interesting ACL with FindInterestingDomainAcl", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Account"}]}}, {"name": "Windows Forest Discovery with GetForestDomain", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Account"}]}}, {"name": "Windows Get Local Admin with FindLocalAdminAccess", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Account"}]}}, {"name": "Windows Hidden Schedule Task Settings", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Windows Lateral Tool Transfer RemCom", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Lateral Tool Transfer"}]}}, {"name": "Windows Linked Policies In ADSI Discovery", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Windows PowerView AD Access Control List Enumeration", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Accounts"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}}, {"name": "Windows Root Domain linked policies Discovery", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Windows Service Create RemComSvc", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Windows Suspect Process With Authentication Traffic", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "User Execution"}, {"mitre_attack_technique": "Malicious File"}]}}, {"name": "Wmic Group Discovery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}}]}, {"name": "Active Directory Kerberos Attacks", "author": "Mauricio Velazco, Splunk", "date": "2022-02-02", "version": 1, "id": "38b8cf16-8461-11ec-ade1-acde48001122", "description": "Monitor for activities and techniques associated with Kerberos based attacks within with Active Directory environments.", "narrative": "Kerberos, initially named after Cerberus, the three-headed dog in Greek mythology, is a network authentication protocol that allows computers and users to prove their identity through a trusted third-party. This trusted third-party issues Kerberos tickets using symmetric encryption to allow users access to services and network resources based on their privilege level. Kerberos is the default authentication protocol used on Windows Active Directory networks since the introduction of Windows Server 2003. With Kerberos being the backbone of Windows authentication, it is commonly abused by adversaries across the different phases of a breach including initial access, privilege escalation, defense evasion, credential access, lateral movement, etc.\\ This Analytic Story groups detection use cases in which the Kerberos protocol is abused. Defenders can leverage these analytics to detect and hunt for adversaries engaging in Kerberos based attacks.", "references": ["https://en.wikipedia.org/wiki/Kerberos_(protocol)", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/2a32282e-dd48-4ad9-a542-609804b02cc9", "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://stealthbits.com/blog/cracking-active-directory-passwords-with-as-rep-roasting/", "https://attack.mitre.org/techniques/T1558/003/", "https://attack.mitre.org/techniques/T1550/003/", "https://attack.mitre.org/techniques/T1558/004/"], "tags": {"name": "Active Directory Kerberos Attacks", "analytic_story": "Active Directory Kerberos Attacks", "category": ["Adversary Tactics", "Account Compromise", "Lateral Movement", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1558.004", "mitre_attack_technique": "AS-REP Roasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1558.001", "mitre_attack_technique": "Golden Ticket", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Ke3chang"]}, {"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1589", "mitre_attack_technique": "Gather Victim Identity Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["APT32", "FIN13", "HEXANE", "LAPSUS$", "Magic Hound"]}, {"mitre_attack_id": "T1589.002", "mitre_attack_technique": "Email Addresses", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["APT32", "EXOTIC LILY", "HAFNIUM", "HEXANE", "Kimsuky", "LAPSUS$", "Lazarus Group", "Magic Hound", "MuddyWater", "Sandworm Team", "Silent Librarian", "TA551"]}, {"mitre_attack_id": "T1550.003", "mitre_attack_technique": "Pass the Ticket", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["APT29", "APT32", "BRONZE BUTLER"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "Chimera", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "Volt Typhoon", "Wizard Spider"]}, {"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Discovery", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Authentication", "Change", "Endpoint", "Network_Traffic"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - Disabled Kerberos Pre-Authentication Discovery With Get-ADUser - Rule", "ESCU - Disabled Kerberos Pre-Authentication Discovery With PowerView - Rule", "ESCU - Kerberoasting spn request with RC4 encryption - Rule", "ESCU - Kerberos Pre-Authentication Flag Disabled in UserAccountControl - Rule", "ESCU - Kerberos Pre-Authentication Flag Disabled with PowerShell - Rule", "ESCU - Kerberos Service Ticket Request Using RC4 Encryption - Rule", "ESCU - Kerberos TGT Request Using RC4 Encryption - Rule", "ESCU - Kerberos User Enumeration - Rule", "ESCU - Mimikatz PassTheTicket CommandLine Parameters - Rule", "ESCU - PetitPotam Suspicious Kerberos TGT Request - Rule", "ESCU - Rubeus Command Line Parameters - Rule", "ESCU - Rubeus Kerberos Ticket Exports Through Winlogon Access - Rule", "ESCU - ServicePrincipalNames Discovery with PowerShell - Rule", "ESCU - ServicePrincipalNames Discovery with SetSPN - Rule", "ESCU - Suspicious Kerberos Service Ticket Request - Rule", "ESCU - Suspicious Ticket Granting Ticket Request - Rule", "ESCU - Unknown Process Using The Kerberos Protocol - Rule", "ESCU - Unusual Number of Computer Service Tickets Requested - Rule", "ESCU - Unusual Number of Kerberos Service Tickets Requested - Rule", "ESCU - Windows Computer Account Created by Computer Account - Rule", "ESCU - Windows Computer Account Requesting Kerberos Ticket - Rule", "ESCU - Windows Computer Account With SPN - Rule", "ESCU - Windows Domain Admin Impersonation Indicator - Rule", "ESCU - Windows Get-AdComputer Unconstrained Delegation Discovery - Rule", "ESCU - Windows Kerberos Local Successful Logon - Rule", "ESCU - Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos - Rule", "ESCU - Windows Multiple Invalid Users Fail To Authenticate Using Kerberos - Rule", "ESCU - Windows Multiple Users Failed To Authenticate Using Kerberos - Rule", "ESCU - Windows PowerView Constrained Delegation Discovery - Rule", "ESCU - Windows PowerView Kerberos Service Ticket Request - Rule", "ESCU - Windows PowerView SPN Discovery - Rule", "ESCU - Windows PowerView Unconstrained Delegation Discovery - Rule", "ESCU - Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Users Failed To Auth Using Kerberos - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Disabled Kerberos Pre-Authentication Discovery With Get-ADUser", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "AS-REP Roasting"}]}}, {"name": "Disabled Kerberos Pre-Authentication Discovery With PowerView", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "AS-REP Roasting"}]}}, {"name": "Kerberoasting spn request with RC4 encryption", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "Kerberos Pre-Authentication Flag Disabled in UserAccountControl", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "AS-REP Roasting"}]}}, {"name": "Kerberos Pre-Authentication Flag Disabled with PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "AS-REP Roasting"}]}}, {"name": "Kerberos Service Ticket Request Using RC4 Encryption", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Golden Ticket"}]}}, {"name": "Kerberos TGT Request Using RC4 Encryption", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Use Alternate Authentication Material"}]}}, {"name": "Kerberos User Enumeration", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Identity Information"}, {"mitre_attack_technique": "Email Addresses"}]}}, {"name": "Mimikatz PassTheTicket CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Ticket"}]}}, {"name": "PetitPotam Suspicious Kerberos TGT Request", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Rubeus Command Line Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Ticket"}, {"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}, {"mitre_attack_technique": "AS-REP Roasting"}]}}, {"name": "Rubeus Kerberos Ticket Exports Through Winlogon Access", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Ticket"}]}}, {"name": "ServicePrincipalNames Discovery with PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "ServicePrincipalNames Discovery with SetSPN", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "Suspicious Kerberos Service Ticket Request", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Domain Accounts"}]}}, {"name": "Suspicious Ticket Granting Ticket Request", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Domain Accounts"}]}}, {"name": "Unknown Process Using The Kerberos Protocol", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Use Alternate Authentication Material"}]}}, {"name": "Unusual Number of Computer Service Tickets Requested", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Unusual Number of Kerberos Service Tickets Requested", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "Windows Computer Account Created by Computer Account", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}}, {"name": "Windows Computer Account Requesting Kerberos Ticket", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}}, {"name": "Windows Computer Account With SPN", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}}, {"name": "Windows Domain Admin Impersonation Indicator", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}}, {"name": "Windows Get-AdComputer Unconstrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Windows Kerberos Local Successful Logon", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}}, {"name": "Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Invalid Users Fail To Authenticate Using Kerberos", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Users Failed To Authenticate Using Kerberos", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows PowerView Constrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Windows PowerView Kerberos Service Ticket Request", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "Windows PowerView SPN Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "Windows PowerView Unconstrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Users Failed To Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}]}, {"name": "Active Directory Lateral Movement", "author": "David Dorsey, Mauricio Velazco Splunk", "date": "2021-12-09", "version": 3, "id": "399d65dc-1f08-499b-a259-aad9051f38ad", "description": "Detect and investigate tactics, techniques, and procedures around how attackers move laterally within an Active Directory environment. Since lateral movement is often a necessary step in a breach, it is important for cyber defenders to deploy detection coverage.", "narrative": "Once attackers gain a foothold within an enterprise, they will seek to expand their accesses and leverage techniques that facilitate lateral movement. Attackers will often spend quite a bit of time and effort moving laterally. Because lateral movement renders an attacker the most vulnerable to detection, it's an excellent focus for detection and investigation.\\\nIndications of lateral movement in an Active Directory network can include the abuse of system utilities (such as `psexec.exe`), unauthorized use of remote desktop services, `file/admin$` shares, WMI, PowerShell, Service Control Manager, the DCOM protocol, WinRM or the abuse of scheduled tasks. Organizations must be extra vigilant in detecting lateral movement techniques and look for suspicious activity in and around high-value strategic network assets, such as Active Directory, which are often considered the primary target or \"crown jewels\" to a persistent threat actor.\\\nAn adversary can use lateral movement for multiple purposes, including remote execution of tools, pivoting to additional systems, obtaining access to specific information or files, access to additional credentials, exfiltrating data, or delivering a secondary effect. Adversaries may use legitimate credentials alongside inherent network and operating-system functionality to remotely connect to other systems and remain under the radar of network defenders.\\\nIf there is evidence of lateral movement, it is imperative for analysts to collect evidence of the associated offending hosts. For example, an attacker might leverage host A to gain access to host B. From there, the attacker may try to move laterally to host C. In this example, the analyst should gather as much information as possible from all three hosts. \\\n It is also important to collect authentication logs for each host, to ensure that the offending accounts are well-documented. Analysts should account for all processes to ensure that the attackers did not install unauthorized software.", "references": ["https://www.fireeye.com/blog/executive-perspective/2015/08/malware_lateral_move.html", "http://www.irongeek.com/i.php?page=videos/derbycon7/t405-hunting-lateral-movement-for-fun-and-profit-mauricio-velazco"], "tags": {"name": "Active Directory Lateral Movement", "analytic_story": "Active Directory Lateral Movement", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1550.002", "mitre_attack_technique": "Pass the Hash", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["APT1", "APT28", "APT32", "Chimera", "FIN13", "GALLIUM", "Kimsuky", "Wizard Spider"]}, {"mitre_attack_id": "T1210", "mitre_attack_technique": "Exploitation of Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "Dragonfly", "Earth Lusca", "FIN7", "Fox Kitten", "MuddyWater", "Threat Group-3390", "Tonto Team", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1021.006", "mitre_attack_technique": "Windows Remote Management", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Chimera", "FIN13", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1218.014", "mitre_attack_technique": "MMC", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053.002", "mitre_attack_technique": "At", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "BRONZE BUTLER", "Threat Group-3390"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1135", "mitre_attack_technique": "Network Share Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT32", "APT38", "APT39", "APT41", "Chimera", "DarkVishnya", "Dragonfly", "FIN13", "Sowbug", "Tonto Team", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1563.002", "mitre_attack_technique": "RDP Hijacking", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Axiom"]}, {"mitre_attack_id": "T1563", "mitre_attack_technique": "Remote Service Session Hijacking", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Discovery", "Execution", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Network_Traffic", "Risk"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Detect Activity Related to Pass the Hash Attacks - Rule", "ESCU - Active Directory Lateral Movement Identified - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Interactive Session on Remote Endpoint with PowerShell - Rule", "ESCU - Mmc LOLBAS Execution Process Spawn - Rule", "ESCU - Possible Lateral Movement PowerShell Spawn - Rule", "ESCU - PowerShell Invoke CIMMethod CIMSession - Rule", "ESCU - PowerShell Start or Stop Service - Rule", "ESCU - Randomly Generated Scheduled Task Name - Rule", "ESCU - Randomly Generated Windows Service Name - Rule", "ESCU - Remote Desktop Process Running On System - Rule", "ESCU - Remote Process Instantiation via DCOM and PowerShell - Rule", "ESCU - Remote Process Instantiation via DCOM and PowerShell Script Block - Rule", "ESCU - Remote Process Instantiation via WinRM and PowerShell - Rule", "ESCU - Remote Process Instantiation via WinRM and PowerShell Script Block - Rule", "ESCU - Remote Process Instantiation via WinRM and Winrs - Rule", "ESCU - Remote Process Instantiation via WMI - Rule", "ESCU - Remote Process Instantiation via WMI and PowerShell - Rule", "ESCU - Remote Process Instantiation via WMI and PowerShell Script Block - Rule", "ESCU - Scheduled Task Creation on Remote Endpoint using At - Rule", "ESCU - Scheduled Task Initiation on Remote Endpoint - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Services LOLBAS Execution Process Spawn - Rule", "ESCU - Short Lived Scheduled Task - Rule", "ESCU - Svchost LOLBAS Execution Process Spawn - Rule", "ESCU - Unusual Number of Computer Service Tickets Requested - Rule", "ESCU - Unusual Number of Remote Endpoint Authentication Events - Rule", "ESCU - Windows Administrative Shares Accessed On Multiple Hosts - Rule", "ESCU - Windows Enable Win32 ScheduledJob via Registry - Rule", "ESCU - Windows Large Number of Computer Service Tickets Requested - Rule", "ESCU - Windows Local Administrator Credential Stuffing - Rule", "ESCU - Windows PowerShell Get CIMInstance Remote Computer - Rule", "ESCU - Windows PowerShell WMI Win32 ScheduledJob - Rule", "ESCU - Windows Rapid Authentication On Multiple Hosts - Rule", "ESCU - Windows RDP Connection Successful - Rule", "ESCU - Windows Remote Create Service - Rule", "ESCU - Windows Service Create with Tscon - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows Service Created Within Public Path - Rule", "ESCU - Windows Service Creation on Remote Endpoint - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - Windows Service Initiation on Remote Endpoint - Rule", "ESCU - Windows Special Privileged Logon On Multiple Hosts - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - Wmiprsve LOLBAS Execution Process Spawn - Rule", "ESCU - Wsmprovhost LOLBAS Execution Process Spawn - Rule", "ESCU - Remote Desktop Network Traffic - Rule"], "investigation_names": ["ESCU - Investigate Successful Remote Desktop Authentications - Response Task"], "baseline_names": ["ESCU - Identify Systems Creating Remote Desktop Traffic", "ESCU - Identify Systems Receiving Remote Desktop Traffic", "ESCU - Identify Systems Using Remote Desktop"], "author_company": "Mauricio Velazco Splunk", "author_name": "David Dorsey", "detections": [{"name": "Detect Activity Related to Pass the Hash Attacks", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Hash"}]}}, {"name": "Active Directory Lateral Movement Identified", "source": "endpoint", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation of Remote Services"}]}}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Interactive Session on Remote Endpoint with PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Windows Remote Management"}]}}, {"name": "Mmc LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "MMC"}]}}, {"name": "Possible Lateral Movement PowerShell Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Remote Management"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "MMC"}]}}, {"name": "PowerShell Invoke CIMMethod CIMSession", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "PowerShell Start or Stop Service", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}]}}, {"name": "Randomly Generated Scheduled Task Name", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Randomly Generated Windows Service Name", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Remote Desktop Process Running On System", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "Remote Process Instantiation via DCOM and PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}]}}, {"name": "Remote Process Instantiation via DCOM and PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}]}}, {"name": "Remote Process Instantiation via WinRM and PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Windows Remote Management"}]}}, {"name": "Remote Process Instantiation via WinRM and PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Windows Remote Management"}]}}, {"name": "Remote Process Instantiation via WinRM and Winrs", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Windows Remote Management"}]}}, {"name": "Remote Process Instantiation via WMI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Remote Process Instantiation via WMI and PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Remote Process Instantiation via WMI and PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Scheduled Task Creation on Remote Endpoint using At", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "At"}]}}, {"name": "Scheduled Task Initiation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Services LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Short Lived Scheduled Task", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Svchost LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Unusual Number of Computer Service Tickets Requested", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Unusual Number of Remote Endpoint Authentication Events", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Windows Administrative Shares Accessed On Multiple Hosts", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Network Share Discovery"}]}}, {"name": "Windows Enable Win32 ScheduledJob via Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Windows Large Number of Computer Service Tickets Requested", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Network Share Discovery"}, {"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Windows Local Administrator Credential Stuffing", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Credential Stuffing"}]}}, {"name": "Windows PowerShell Get CIMInstance Remote Computer", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}]}}, {"name": "Windows PowerShell WMI Win32 ScheduledJob", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows Rapid Authentication On Multiple Hosts", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}]}}, {"name": "Windows RDP Connection Successful", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "RDP Hijacking"}]}}, {"name": "Windows Remote Create Service", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Windows Service Create with Tscon", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "RDP Hijacking"}, {"mitre_attack_technique": "Remote Service Session Hijacking"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Windows Service Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Windows Service Creation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}]}}, {"name": "Windows Service Initiation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Windows Special Privileged Logon On Multiple Hosts", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Network Share Discovery"}]}}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Wmiprsve LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Wsmprovhost LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Windows Remote Management"}]}}, {"name": "Remote Desktop Network Traffic", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}]}, {"name": "Active Directory Password Spraying", "author": "Mauricio Velazco, Splunk", "date": "2021-04-07", "version": 2, "id": "3de109da-97d2-11eb-8b6a-acde48001122", "description": "Monitor for activities and techniques associated with Password Spraying attacks within Active Directory environments.", "narrative": "In a password spraying attack, adversaries leverage one or a small list of commonly used / popular passwords against a large volume of usernames to acquire valid account credentials. Unlike a Brute Force attack that targets a specific user or small group of users with a large number of passwords, password spraying follows the opposite aproach and increases the chances of obtaining valid credentials while avoiding account lockouts. This allows adversaries to remain undetected if the target organization does not have the proper monitoring and detection controls in place.\\\nPassword Spraying can be leveraged by adversaries across different stages in an attack. It can be used to obtain an iniial access to an environment but can also be used to escalate privileges when access has been already achieved. In some scenarios, this technique capitalizes on a security policy most organizations implement, password rotation. As enterprise users change their passwords, it is possible some pick predictable, seasonal passwords such as `$CompanyNameWinter`, `Summer2021`, etc.\\\nSpecifically, this Analytic Story is focused on detecting possible Password Spraying attacks against Active Directory environments leveraging Windows Event Logs in the `Account Logon` and `Logon/Logoff` Advanced Audit Policy categories. It presents 16 detection analytics which can aid defenders in identifying instances where one source user, source host or source process attempts to authenticate against a target or targets using a high or statiscally unsual, number of unique users. A user, host or process attempting to authenticate with multiple users is not common behavior for legitimate systems and should be monitored by security teams. Possible false positive scenarios include but are not limited to vulnerability scanners, remote administration tools, multi-user systems and missconfigured systems. These should be easily spotted when first implementing the detection and addded to an allow list or lookup table. The presented detections can also be used in Threat Hunting exercises.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://www.microsoft.com/security/blog/2020/04/23/protecting-organization-password-spray-attacks/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn452415(v=ws.11)"], "tags": {"name": "Active Directory Password Spraying", "analytic_story": "Active Directory Password Spraying", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}], "mitre_attack_tactics": ["Credential Access"], "datamodels": [], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos - Rule", "ESCU - Windows Multiple Invalid Users Fail To Authenticate Using Kerberos - Rule", "ESCU - Windows Multiple Invalid Users Failed To Authenticate Using NTLM - Rule", "ESCU - Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials - Rule", "ESCU - Windows Multiple Users Failed To Authenticate From Host Using NTLM - Rule", "ESCU - Windows Multiple Users Failed To Authenticate From Process - Rule", "ESCU - Windows Multiple Users Failed To Authenticate Using Kerberos - Rule", "ESCU - Windows Multiple Users Remotely Failed To Authenticate From Host - Rule", "ESCU - Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM - Rule", "ESCU - Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials - Rule", "ESCU - Windows Unusual Count Of Users Failed To Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Users Failed To Authenticate From Process - Rule", "ESCU - Windows Unusual Count Of Users Failed To Authenticate Using NTLM - Rule", "ESCU - Windows Unusual Count Of Users Remotely Failed To Auth From Host - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Invalid Users Fail To Authenticate Using Kerberos", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Invalid Users Failed To Authenticate Using NTLM", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Users Failed To Authenticate From Host Using NTLM", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Users Failed To Authenticate From Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Users Failed To Authenticate Using Kerberos", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Users Remotely Failed To Authenticate From Host", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Users Failed To Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Users Failed To Authenticate From Process", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Users Failed To Authenticate Using NTLM", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Users Remotely Failed To Auth From Host", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}]}, {"name": "Active Directory Privilege Escalation", "author": "Mauricio Velazco, Splunk", "date": "2023-03-20", "version": 1, "id": "fa34a5d8-df0a-404c-8237-11f99cba1d5f", "description": "Monitor for activities and techniques associated with Privilege Escalation attacks within Active Directory environments.", "narrative": "Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities.\\\nActive Directory is a central component of most enterprise networks, providing authentication and authorization services for users, computers, and other resources. It stores sensitive information such as passwords, user accounts, and security policies, and is therefore a high-value target for attackers. Privilege escalation attacks in Active Directory typically involve exploiting vulnerabilities or misconfigurations across the network to gain elevated privileges, such as Domain Administrator access. Once an attacker has escalated their privileges and taken full control of a domain, they can easily move laterally throughout the network, access sensitive data, and carry out further attacks. Security teams should monitor for privilege escalation attacks in Active Directory to identify a breach before attackers achieve operational success.\\\nThe following analytic story groups detection opportunities that seek to identify an adversary attempting to escalate privileges in an Active Directory network.", "references": ["https://attack.mitre.org/tactics/TA0004/", "https://adsecurity.org/?p=3658", "https://adsecurity.org/?p=2362"], "tags": {"name": "Active Directory Privilege Escalation", "analytic_story": "Active Directory Privilege Escalation", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1484", "mitre_attack_technique": "Domain Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1558.001", "mitre_attack_technique": "Golden Ticket", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Ke3chang"]}, {"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1550.003", "mitre_attack_technique": "Pass the Ticket", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["APT29", "APT32", "BRONZE BUTLER"]}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1558.004", "mitre_attack_technique": "AS-REP Roasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "Chimera", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "Volt Typhoon", "Wizard Spider"]}, {"mitre_attack_id": "T1135", "mitre_attack_technique": "Network Share Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT32", "APT38", "APT39", "APT41", "Chimera", "DarkVishnya", "Dragonfly", "FIN13", "Sowbug", "Tonto Team", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1484.001", "mitre_attack_technique": "Group Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Indrik Spider"]}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1552.006", "mitre_attack_technique": "Group Policy Preferences", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "Wizard Spider"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "FIN13", "TA505"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Discovery", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Active Directory Privilege Escalation Identified - Rule", "ESCU - Kerberos Service Ticket Request Using RC4 Encryption - Rule", "ESCU - Rubeus Command Line Parameters - Rule", "ESCU - ServicePrincipalNames Discovery with PowerShell - Rule", "ESCU - ServicePrincipalNames Discovery with SetSPN - Rule", "ESCU - Suspicious Computer Account Name Change - Rule", "ESCU - Suspicious Kerberos Service Ticket Request - Rule", "ESCU - Suspicious Ticket Granting Ticket Request - Rule", "ESCU - Unusual Number of Computer Service Tickets Requested - Rule", "ESCU - Unusual Number of Remote Endpoint Authentication Events - Rule", "ESCU - Windows Administrative Shares Accessed On Multiple Hosts - Rule", "ESCU - Windows Admon Default Group Policy Object Modified - Rule", "ESCU - Windows Admon Group Policy Object Created - Rule", "ESCU - Windows Default Group Policy Object Modified - Rule", "ESCU - Windows Default Group Policy Object Modified with GPME - Rule", "ESCU - Windows DnsAdmins New Member Added - Rule", "ESCU - Windows Domain Admin Impersonation Indicator - Rule", "ESCU - Windows File Share Discovery With Powerview - Rule", "ESCU - Windows Findstr GPP Discovery - Rule", "ESCU - Windows Group Policy Object Created - Rule", "ESCU - Windows Large Number of Computer Service Tickets Requested - Rule", "ESCU - Windows Local Administrator Credential Stuffing - Rule", "ESCU - Windows PowerSploit GPP Discovery - Rule", "ESCU - Windows PowerView AD Access Control List Enumeration - Rule", "ESCU - Windows Rapid Authentication On Multiple Hosts - Rule", "ESCU - Windows Special Privileged Logon On Multiple Hosts - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Active Directory Privilege Escalation Identified", "source": "endpoint", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Policy Modification"}]}}, {"name": "Kerberos Service Ticket Request Using RC4 Encryption", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Golden Ticket"}]}}, {"name": "Rubeus Command Line Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Ticket"}, {"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}, {"mitre_attack_technique": "AS-REP Roasting"}]}}, {"name": "ServicePrincipalNames Discovery with PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "ServicePrincipalNames Discovery with SetSPN", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "Suspicious Computer Account Name Change", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Domain Accounts"}]}}, {"name": "Suspicious Kerberos Service Ticket Request", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Domain Accounts"}]}}, {"name": "Suspicious Ticket Granting Ticket Request", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Domain Accounts"}]}}, {"name": "Unusual Number of Computer Service Tickets Requested", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Unusual Number of Remote Endpoint Authentication Events", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Windows Administrative Shares Accessed On Multiple Hosts", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Network Share Discovery"}]}}, {"name": "Windows Admon Default Group Policy Object Modified", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}]}}, {"name": "Windows Admon Group Policy Object Created", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}]}}, {"name": "Windows Default Group Policy Object Modified", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}]}}, {"name": "Windows Default Group Policy Object Modified with GPME", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}]}}, {"name": "Windows DnsAdmins New Member Added", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Windows Domain Admin Impersonation Indicator", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}}, {"name": "Windows File Share Discovery With Powerview", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Network Share Discovery"}]}}, {"name": "Windows Findstr GPP Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unsecured Credentials"}, {"mitre_attack_technique": "Group Policy Preferences"}]}}, {"name": "Windows Group Policy Object Created", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}, {"mitre_attack_technique": "Domain Accounts"}]}}, {"name": "Windows Large Number of Computer Service Tickets Requested", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Network Share Discovery"}, {"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Windows Local Administrator Credential Stuffing", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Credential Stuffing"}]}}, {"name": "Windows PowerSploit GPP Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unsecured Credentials"}, {"mitre_attack_technique": "Group Policy Preferences"}]}}, {"name": "Windows PowerView AD Access Control List Enumeration", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Accounts"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}}, {"name": "Windows Rapid Authentication On Multiple Hosts", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}]}}, {"name": "Windows Special Privileged Logon On Multiple Hosts", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Network Share Discovery"}]}}]}, {"name": "Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360", "author": "Michael Haag, Splunk", "date": "2023-08-23", "version": 1, "id": "e33e2e38-f9c2-432d-8be6-bc67b92aa82e", "description": "In July 2023, a significant vulnerability, CVE-2023-29298, affecting Adobe ColdFusion was uncovered by Rapid7, shedding light on an access control bypass mechanism. This vulnerability allows attackers to access sensitive ColdFusion Administrator endpoints by exploiting a flaw in the URL path validation. Disturbingly, this flaw can be chained with another critical vulnerability, CVE-2023-26360, which has been actively exploited. The latter enables unauthorized arbitrary code execution and file reading. Adobe has promptly addressed these vulnerabilities, but the intricacies and potential ramifications of their combination underscore the importance of immediate action by organizations. With active exploitation in the wild and the ability to bypass established security measures, the situation is alarming. Organizations are urged to apply the updates provided by Adobe immediately, considering the active threat landscape and the severe implications of these chained vulnerabilities.", "narrative": "Adobe ColdFusion, a prominent application server, has been thrust into the cybersecurity spotlight due to two intertwined vulnerabilities. The first, CVE-2023-29298, identified by Rapid7 in July 2023, pertains to an access control bypass in ColdFusion's security mechanisms. This flaw allows attackers to access protected ColdFusion Administrator endpoints simply by manipulating the URL path, specifically by inserting an additional forward slash.\\ Compounding the threat is the revelation that CVE-2023-29298 can be chained with CVE-2023-26360, another severe ColdFusion vulnerability. This latter vulnerability, which has seen active exploitation, permits unauthorized attackers to execute arbitrary code or read arbitrary files on the affected system. In practice, an attacker could exploit the access control bypass to access sensitive ColdFusion endpoints and subsequently exploit the arbitrary code execution vulnerability, broadening their control and access over the targeted system. \\ The consequences of these vulnerabilities are manifold. Attackers can potentially login to the ColdFusion Administrator with known credentials, bruteforce their way in, leak sensitive information, or exploit other vulnerabilities in the exposed CFM and CFC files. This combination of vulnerabilities significantly heightens the risk profile for organizations using the affected versions of Adobe ColdFusion. \\ Addressing the urgency, Adobe released fixes for these vulnerabilities in July 2023, urging organizations to update to ColdFusion 2023 GA build, ColdFusion 2021 Update 7, and ColdFusion 2018 Update 17. However, Rapid7's disclosure highlights a potential incomplete fix, suggesting that organizations should remain vigilant and proactive in their security measures. \\\nIn conclusion, the discovery of these vulnerabilities and their potential to be exploited in tandem presents a significant security challenge. Organizations using Adobe ColdFusion must prioritize the application of security updates, monitor their systems closely for signs of intrusion, and remain updated on any further developments related to these vulnerabilities.", "references": ["https://helpx.adobe.com/security/products/coldfusion/apsb23-25.html", "https://twitter.com/stephenfewer/status/1678881017526886400?s=20", "https://www.rapid7.com/blog/post/2023/07/11/cve-2023-29298-adobe-coldfusion-access-control-bypass", "https://www.bleepingcomputer.com/news/security/cisa-warns-of-adobe-coldfusion-bug-exploited-as-a-zero-day/"], "tags": {"name": "Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360", "analytic_story": "Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - Adobe ColdFusion Access Control Bypass - Rule", "ESCU - Adobe ColdFusion Unauthenticated Arbitrary File Read - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Adobe ColdFusion Access Control Bypass", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}, {"name": "Adobe ColdFusion Unauthenticated Arbitrary File Read", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}]}, {"name": "AgentTesla", "author": "Teoderick Contreras, Splunk", "date": "2022-04-12", "version": 1, "id": "9bb6077a-843e-418b-b134-c57ef997103c", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the AgentTesla malware including .chm application child process, ftp/smtp connection, persistence and many more. AgentTesla is one of the advanced remote access trojans (RAT) that are capable of stealing sensitive information from the infected or targeted host machine. It can collect various types of data, including browser profile information, keystrokes, capture screenshots and vpn credentials. AgentTesla has been active malware since 2014 and often delivered as a malicious attachment in phishing emails.It is also the top malware in 2021 based on the CISA report.", "narrative": "Adversaries or threat actor may use this malware to maximize the impact of infection on the target organization in operations where network wide availability interruption is the goal.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla", "https://cert.gov.ua/article/861292", "https://www.cisa.gov/uscert/ncas/alerts/aa22-216a", "https://www.joesandbox.com/analysis/702680/0/html"], "tags": {"name": "AgentTesla", "analytic_story": "AgentTesla", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.001", "mitre_attack_technique": "Compiled HTML File", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "APT41", "Dark Caracal", "OilRig", "Silence"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1014", "mitre_attack_technique": "Rootkit", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT41", "Rocke", "TeamTNT", "Winnti Group"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1071.003", "mitre_attack_technique": "Mail Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT28", "APT32", "Kimsuky", "SilverTerrier", "Turla"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Magic Hound", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Defense Evasion", "Execution", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command And Control", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - Detect HTML Help Spawn Child Process - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Application Drop Executable - Rule", "ESCU - Office Application Spawn rundll32 process - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning CertUtil - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Driver Loaded Path - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Driver Load Non-Standard Path - Rule", "ESCU - Windows Drivers Loaded by Signature - Rule", "ESCU - Windows File Transfer Protocol In Non-Common Process Path - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Mail Protocol In Non-Common Process Path - Rule", "ESCU - Windows Multi hop Proxy TOR Website Query - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Add or Set Windows Defender Exclusion", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Detect HTML Help Spawn Child Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}}, {"name": "Disabling Remote User Account Control", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Excessive Usage Of Taskkill", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}}, {"name": "Office Application Drop Executable", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Application Spawn rundll32 process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning CertUtil", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Suspicious Driver Loaded Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Windows Driver Load Non-Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rootkit"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "Windows Drivers Loaded by Signature", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rootkit"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "Windows File Transfer Protocol In Non-Common Process Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Mail Protocols"}, {"mitre_attack_technique": "Application Layer Protocol"}]}}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Malicious Link"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "Windows Mail Protocol In Non-Common Process Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Mail Protocols"}, {"mitre_attack_technique": "Application Layer Protocol"}]}}, {"name": "Windows Multi hop Proxy TOR Website Query", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Mail Protocols"}, {"mitre_attack_technique": "Application Layer Protocol"}]}}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}]}, {"name": "Amadey", "author": "Teoderick Contreras, Splunk", "date": "2023-06-16", "version": 1, "id": "a919a01b-3ea5-4ed4-9cbe-11cd8b64c36c", "description": "This analytic story contains searches that aims to detect activities related to Amadey, a type of malware that primarily operates as a banking Trojan. It is designed to steal sensitive information such as login credentials, credit card details, and other financial data from infected systems. The malware typically targets Windows-based computers.", "narrative": "Amadey is one of the active trojans that are capable of stealing sensitive information via its from the infected or targeted host machine. It can collect various types of data, including browser profile information, clipboard data, capture screenshots and system information. Adversaries or threat actors may use this malware to maximize the impact of infection on the target organization in operations where data collection and exfiltration is the goal. The primary function is to steal information and further distribute malware. It aims to extract a variety of information from infected devices and attempts to evade the detection of security measures by reducing the volume of data exfiltration compared to that seen in other malicious instances.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey", "https://darktrace.com/blog/amadey-info-stealer-exploiting-n-day-vulnerabilities"], "tags": {"name": "Amadey", "analytic_story": "Amadey", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1566.002", "mitre_attack_technique": "Spearphishing Link", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1036.008", "mitre_attack_technique": "Masquerade File Type", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Volt Typhoon"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "Volt Typhoon", "ZIRCONIUM"]}, {"mitre_attack_id": "T1222.001", "mitre_attack_technique": "Windows File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}], "mitre_attack_tactics": ["Defense Evasion", "Discovery", "Execution", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Detect Outlook exe writing a zip file - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Process Creating LNK file in Suspicious Location - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Process Executed From Container File - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Credentials from Password Stores Chrome Extension Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows Files and Dirs Access Rights Modification Via Icacls - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Powershell RemoteSigned File - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Detect Outlook exe writing a zip file", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Process Creating LNK file in Suspicious Location", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Link"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Suspicious Process Executed From Container File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Malicious File"}, {"mitre_attack_technique": "Masquerade File Type"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Windows Credentials from Password Stores Chrome Extension Access", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows Files and Dirs Access Rights Modification Via Icacls", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows File and Directory Permissions Modification"}, {"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Malicious Link"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "Windows Powershell RemoteSigned File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}]}, {"name": "Apache Struts Vulnerability", "author": "Rico Valdez, Splunk", "date": "2018-12-06", "version": 1, "id": "2dcfd6a2-e7d2-4873-b6ba-adaf819d2a1e", "description": "Detect and investigate activities--such as unusually long `Content-Type` length, suspicious java classes and web servers executing suspicious processes--consistent with attempts to exploit Apache Struts vulnerabilities.", "narrative": "In March of 2017, a remote code-execution vulnerability in the Jakarta Multipart parser in Apache Struts, a widely used open-source framework for creating Java web applications, was disclosed and assigned to CVE-2017-5638. About two months later, hackers exploited the flaw to carry out the world's <a href=https://www.usatoday.com/story/tech/2017/09/07/nations-biggest-hacks-and-data-breaches-millions/644311001/> 5th largest data breach</a>. The target, credit giant Equifax, <a href=https://money.cnn.com/2017/09/16/technology/equifax-breach-security-hole/index.html>told investigators</a> that it had become aware of the vulnerability two months before the attack. \\\nThe exploit involved manipulating the `Content-Type HTTP` header to execute commands embedded in the header.\\\nThis Analytic Story contains two different searches that help to identify activity that may be related to this issue. The first search looks for characteristics of the `Content-Type` header consistent with attempts to exploit the vulnerability. This should be a relatively pertinent indicator, as the `Content-Type` header is generally consistent and does not have a large degree of variation.\\\nThe second search looks for the execution of various commands typically entered on the command shell when an attacker first lands on a system. These commands are not generally executed on web servers during the course of day-to-day operation, but they may be used when the system is undergoing maintenance or troubleshooting.\\\nFirst, it is helpful is to understand how often the notable event is generated, as well as the commonalities in some of these events. This may help determine whether this is a common occurrence that is of a lesser concern or a rare event that may require more extensive investigation. It can also help to understand whether the issue is restricted to a single user or system or is broader in scope.\\\nWhen looking at the target of the behavior illustrated by the event, you should note the sensitivity of the user and or/system to help determine the potential impact. It is also helpful to see what other events involving the target have occurred in the recent past. This can help tie different events together and give further situational awareness regarding the target.\\\nVarious types of information for external systems should be reviewed and (potentially) collected if the incident is, indeed, judged to be malicious. Information like this can be useful in generating your own threat intelligence to create alerts in the future.\\\nLooking at the country, responsible party, and fully qualified domain names associated with the external IP address--as well as the registration information associated with those domain names, if they are frequently visited by others--can help you answer the question of \"who,\" in regard to the external system. Answering that can help qualify the event and may serve useful for tracking. In addition, there are various sources that can provide some reputation information on the IP address or domain name, which can assist in determining if the event is malicious in nature. Finally, determining whether or not there are other events associated with the IP address may help connect some dots or show other events that should be brought into scope.\\\nGathering various data elements on the system of interest can sometimes help quickly determine that something suspicious may be happening. Some of these items include determining who else may have recently logged into the system, whether any unusual scheduled tasks exist, whether the system is communicating on suspicious ports, whether there are modifications to sensitive registry keys, and whether there are any known vulnerabilities on the system. This information can often highlight other activity commonly seen in attack scenarios or give more information about how the system may have been targeted.\\\nhen a specific service or application is targeted, it is often helpful to know the associated version to help determine whether or not it is vulnerable to a specific exploit.\\\nhen it is suspected there is an attack targeting a web server, it is helpful to look at some of the behavior of the web service to see if there is evidence that the service has been compromised. Some indications of this might be network connections to external resources, the web service spawning child processes that are not associated with typical behavior, and whether the service wrote any files that might be malicious in nature.\\\nIn the event that a suspicious file is found, we can review more information about it to help determine if it is, in fact, malicious. Identifying the file type, any processes that have the file open, what processes created and/or modified the file, and the number of systems that may have this file can help to determine if the file is malicious. Also, determining the file hash and checking it against reputation sources, such as VirusTotal, can sometimes quickly help determine whether it is malicious in nature.\\\nOften, a simple inspection of a suspect process name and path can tell you if the system has been compromised. For example, if `svchost.exe` is found running from a location other than `C:\\Windows\\System32`, it is likely something malicious designed to hide in plain sight when simply reviewing process names. Similarly, if the process itself seems legitimate, but the parent process is running from the temporary browser cache, there may be activity initiated via a compromised website the user visited.\\\nIt can also be very helpful to examine various behaviors of the process of interest or the parent of the process that is of interest. For example, if it turns out that the process of interest is malicious, it would be good to see if the parent to that process spawned other processes that might also be worth further scrutiny. If a process is suspect, reviewing the network connections made around the time of the event and/or if the process spawned any child processes could be helpful in determining whether it is malicious or executing a malicious script.", "references": ["https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.2/dev/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf"], "tags": {"name": "Apache Struts Vulnerability", "analytic_story": "Apache Struts Vulnerability", "category": ["Vulnerability"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "FIN13", "FIN8", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TA2541", "TeamTNT", "Tropic Trooper", "Turla", "Volt Typhoon", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}], "mitre_attack_tactics": ["Discovery"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Suspicious Java Classes - Rule", "ESCU - Web Servers Executing Suspicious Processes - Rule", "ESCU - Unusually Long Content-Type Length - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Investigate Suspicious Strings in HTTP Header - Response Task", "ESCU - Investigate Web POSTs From src - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Suspicious Java Classes", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Web Servers Executing Suspicious Processes", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Information Discovery"}]}}, {"name": "Unusually Long Content-Type Length", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "Asset Tracking", "author": "Bhavin Patel, Splunk", "date": "2017-09-13", "version": 1, "id": "91c676cf-0b23-438d-abee-f6335e1fce77", "description": "Keep a careful inventory of every asset on your network to make it easier to detect rogue devices. Unauthorized/unmanaged devices could be an indication of malicious behavior that should be investigated further.", "narrative": "This Analytic Story is designed to help you develop a better understanding of what authorized and unauthorized devices are part of your enterprise. This story can help you better categorize and classify assets, providing critical business context and awareness of their assets during an incident. Information derived from this Analytic Story can be used to better inform and support other analytic stories. For successful detection, you will need to leverage the Assets and Identity Framework from Enterprise Security to populate your known assets.", "references": ["https://www.cisecurity.org/controls/inventory-of-authorized-and-unauthorized-devices/"], "tags": {"name": "Asset Tracking", "analytic_story": "Asset Tracking", "category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Network_Sessions"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Unauthorized Assets by MAC address - Rule"], "investigation_names": ["ESCU - Get First Occurrence and Last Occurrence of a MAC Address - Response Task", "ESCU - Get Notable History - Response Task"], "baseline_names": ["ESCU - Count of assets by category"], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect Unauthorized Assets by MAC address", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "AsyncRAT", "author": "Teoderick Contreras, Splunk", "date": "2023-01-24", "version": 1, "id": "d7053072-7dd2-4874-8314-bfcbc99978a4", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the AsyncRAT malware including mshta application child process, bat loader execution, persistence and many more. AsyncRAT is an open source remote administration tool released last 2019. It's designed to remotely control computers via an encrypted connection, with view screen, keylogger, chat communication, persistence, defense evasion (e.g. Windows defender), DOS attack and many more.", "narrative": "although this project contains legal disclaimer, Adversaries or threat actors are popularly used in some attacks. This malware recently came across a Fully undetected batch script loader that downloads and loads the AsyncRAT from its C2 server. The batch script is obfuscated and will load a powershell loader that will decode and decrypt (AES256) the actual AsyncRAT malware.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat", "https://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader"], "tags": {"name": "AsyncRAT", "analytic_story": "AsyncRAT", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1055.001", "mitre_attack_technique": "Dynamic-link Library Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["BackdoorDiplomacy", "Lazarus Group", "Leviathan", "Putter Panda", "TA505", "Tropic Trooper", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1059.005", "mitre_attack_technique": "Visual Basic", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT33", "APT37", "APT38", "APT39", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Earth Lusca", "FIN13", "FIN4", "FIN7", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "Transparent Tribe", "Turla", "WIRTE", "Windshift"]}, {"mitre_attack_id": "T1134.002", "mitre_attack_technique": "Create Process with Token", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Lazarus Group", "Turla"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Initial Access", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Execution of File with Multiple Extensions - Rule", "ESCU - Loading Of Dynwrapx Module - Rule", "ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Powershell Processing Stream Of Data - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Vbscript Execution Using Wscript App - Rule", "ESCU - Windows Access Token Manipulation SeDebugPrivilege - Rule", "ESCU - Windows Powershell Cryptography Namespace - Rule", "ESCU - Windows Scheduled Task with Highest Privileges - Rule", "ESCU - Windows Spearphishing Attachment Connect To None MS Office Domain - Rule", "ESCU - Windows Spearphishing Attachment Onenote Spawn Mshta - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Execution of File with Multiple Extensions", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Loading Of Dynwrapx Module", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Dynamic-link Library Injection"}]}}, {"name": "Malicious PowerShell Process - Execution Policy Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Processing Stream Of Data", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Suspicious Copy on System32", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "Masquerading"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Vbscript Execution Using Wscript App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows Access Token Manipulation SeDebugPrivilege", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create Process with Token"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}, {"name": "Windows Powershell Cryptography Namespace", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows Scheduled Task with Highest Privileges", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Windows Spearphishing Attachment Connect To None MS Office Domain", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Windows Spearphishing Attachment Onenote Spawn Mshta", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}]}, {"name": "Atlassian Confluence Server and Data Center CVE-2022-26134", "author": "Michael Haag, Splunk", "date": "2022-06-03", "version": 1, "id": "91623a50-41fa-4c4e-8637-c239b80ff439", "description": "On June 2, security researchers at Volexity published a blog outlining the discovery of an unauthenticated remote code execution zero day vulnerability (CVE-2022-26134) being actively exploited in Atlassian Confluence Server and Data Center instances in the wild. Atlassian released a fix within 24 hours of the blog''s release.", "narrative": "Atlassian describes the vulnerability as an Object-Graph Navigation Language (OGNL) injection allowing an unauthenticated user to execute arbitrary code on a Confluence Server or Data Server instance. Volexity did not release proof-of-concept (POC) exploit code, but researchers there have observed coordinated, widespread exploitation. Volexity first discovered the vulnerability over the weekend on two Internet-facing web servers running Confluence Server software. The investigation was due to suspicious activity on the hosts, including JSP webshells that were written to disk.", "references": ["https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html", "https://www.splunk.com/en_us/blog/security/atlassian-confluence-vulnerability-cve-2022-26134.html", "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", "https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/"], "tags": {"name": "Atlassian Confluence Server and Data Center CVE-2022-26134", "analytic_story": "Atlassian Confluence Server and Data Center CVE-2022-26134", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Application Security", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Initial Access", "Persistence"], "datamodels": ["Endpoint", "Web"], "kill_chain_phases": ["Delivery", "Installation"]}, "detection_names": ["ESCU - Java Writing JSP File - Rule", "ESCU - Confluence Unauthenticated Remote Code Execution CVE-2022-26134 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Java Writing JSP File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Confluence Unauthenticated Remote Code Execution CVE-2022-26134", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}]}, {"name": "AwfulShred", "author": "Teoderick Contreras, Splunk", "date": "2023-01-24", "version": 1, "id": "e36935ce-f48c-4fb2-8109-7e80c1cdc9e2", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the AwfulShred malware including wiping files, process kill, system reboot via system request, shred,  and service stops.", "narrative": "AwfulShred is a malicious linux shell script designed to corrupt or wipe the linux targeted system. It uses shred command to overwrite files and to increase data damage. This obfuscated malicious script can also disable and corrupts apache, HTTP and SSH services, deactivate swap files, clear bash history and finally reboot the system.", "references": ["https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", "https://cert.gov.ua/article/3718487"], "tags": {"name": "AwfulShred", "analytic_story": "AwfulShred", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TEMP.Veles", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1200", "mitre_attack_technique": "Hardware Additions", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["DarkVishnya"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1053.006", "mitre_attack_technique": "Systemd Timers", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1059.004", "mitre_attack_technique": "Unix Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT41", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Impact", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Linux Data Destruction Command - Rule", "ESCU - Linux Deleting Critical Directory Using RM Command - Rule", "ESCU - Linux Deletion Of Services - Rule", "ESCU - Linux Disable Services - Rule", "ESCU - Linux Hardware Addition SwapOff - Rule", "ESCU - Linux Impair Defenses Process Kill - Rule", "ESCU - Linux Indicator Removal Clear Cache - Rule", "ESCU - Linux Indicator Removal Service File Deletion - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Shred Overwrite Command - Rule", "ESCU - Linux Stop Services - Rule", "ESCU - Linux System Reboot Via System Request Key - Rule", "ESCU - Linux Unix Shell Enable All SysRq Functions - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux Data Destruction Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Linux Deleting Critical Directory Using RM Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Linux Deletion Of Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Linux Disable Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Linux Hardware Addition SwapOff", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hardware Additions"}]}}, {"name": "Linux Impair Defenses Process Kill", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Linux Indicator Removal Clear Cache", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Linux Indicator Removal Service File Deletion", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Shred Overwrite Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Linux Stop Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Linux System Reboot Via System Request Key", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}}, {"name": "Linux Unix Shell Enable All SysRq Functions", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unix Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}]}, {"name": "AWS Cross Account Activity", "author": "David Dorsey, Splunk", "date": "2018-06-04", "version": 1, "id": "2f2f610a-d64d-48c2-b57c-967a2b49ab5a", "description": "Track when a user assumes an IAM role in another AWS account to obtain cross-account access to services and resources in that account. Accessing new roles could be an indication of malicious activity.", "narrative": "Amazon Web Services (AWS) admins manage access to AWS resources and services across the enterprise using AWS's Identity and Access Management (IAM) functionality. IAM provides the ability to create and manage AWS users, groups, and roles-each with their own unique set of privileges and defined access to specific resources (such as EC2 instances, the AWS Management Console, API, or the command-line interface). Unlike conventional (human) users, IAM roles are assumable by anyone in the organization. They provide users with dynamically created temporary security credentials that expire within a set time period.\\\nHerein lies the rub. In between the time between when the temporary credentials are issued and when they expire is a period of opportunity, where a user could leverage the temporary credentials to wreak havoc-spin up or remove instances, create new users, elevate privileges, and other malicious activities-throughout the environment.\\\nThis Analytic Story includes searches that will help you monitor your AWS CloudTrail logs for evidence of suspicious cross-account activity.  For example, while accessing multiple AWS accounts and roles may be perfectly valid behavior, it may be suspicious when an account requests privileges of an account it has not accessed in the past. After identifying suspicious activities, you can use the provided investigative searches to help you probe more deeply.", "references": ["https://aws.amazon.com/blogs/security/aws-cloudtrail-now-tracks-cross-account-activity-to-its-origin/"], "tags": {"name": "AWS Cross Account Activity", "analytic_story": "AWS Cross Account Activity", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": [], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - aws detect attach to role policy - Rule", "ESCU - aws detect permanent key creation - Rule", "ESCU - aws detect role creation - Rule", "ESCU - aws detect sts assume role abuse - Rule", "ESCU - aws detect sts get session token abuse - Rule"], "investigation_names": ["ESCU - AWS Investigate User Activities By AccessKeyId - Response Task", "ESCU - Get Notable History - Response Task"], "baseline_names": ["ESCU - Previously Seen AWS Cross Account Activity"], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "aws detect attach to role policy", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "aws detect permanent key creation", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "aws detect role creation", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "aws detect sts assume role abuse", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "aws detect sts get session token abuse", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Use Alternate Authentication Material"}]}}]}, {"name": "AWS Defense Evasion", "author": "Gowthamaraj Rajendran, Splunk", "date": "2022-07-15", "version": 1, "id": "4e00b690-293f-434d-a9d8-bcfb2ea5fff9", "description": "Identify activity and techniques associated with the Evasion of Defenses within AWS, such as Disabling CloudTrail, Deleting CloudTrail and many others.", "narrative": "Adversaries employ a variety of techniques in order to avoid detection and operate without barriers. This often involves modifying the configuration of security monitoring tools to get around them or explicitly disabling them to prevent them from running. This Analytic Story includes analytics that identify activity consistent with adversaries attempting to disable various security mechanisms on AWS. Such activity may involve deleting the CloudTrail logs , as this is where all the AWS logs get stored or explicitly changing the retention policy of S3 buckets. Other times, adversaries attempt deletion of a specified AWS CloudWatch log group.", "references": ["https://attack.mitre.org/tactics/TA0005/"], "tags": {"name": "AWS Defense Evasion", "analytic_story": "AWS Defense Evasion", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.008", "mitre_attack_technique": "Disable or Modify Cloud Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Web"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - ASL AWS Defense Evasion Delete Cloudtrail - Rule", "ESCU - ASL AWS Defense Evasion Delete CloudWatch Log Group - Rule", "ESCU - ASL AWS Defense Evasion Impair Security Services - Rule", "ESCU - AWS Defense Evasion Delete Cloudtrail - Rule", "ESCU - AWS Defense Evasion Delete CloudWatch Log Group - Rule", "ESCU - AWS Defense Evasion Impair Security Services - Rule", "ESCU - AWS Defense Evasion PutBucketLifecycle - Rule", "ESCU - AWS Defense Evasion Stop Logging Cloudtrail - Rule", "ESCU - AWS Defense Evasion Update Cloudtrail - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Gowthamaraj Rajendran", "detections": [{"name": "ASL AWS Defense Evasion Delete Cloudtrail", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Cloud Logs"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "ASL AWS Defense Evasion Delete CloudWatch Log Group", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Disable or Modify Cloud Logs"}]}}, {"name": "ASL AWS Defense Evasion Impair Security Services", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Cloud Logs"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "AWS Defense Evasion Delete Cloudtrail", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Cloud Logs"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "AWS Defense Evasion Delete CloudWatch Log Group", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Disable or Modify Cloud Logs"}]}}, {"name": "AWS Defense Evasion Impair Security Services", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Cloud Logs"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "AWS Defense Evasion PutBucketLifecycle", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Cloud Logs"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "AWS Defense Evasion Stop Logging Cloudtrail", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Cloud Logs"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "AWS Defense Evasion Update Cloudtrail", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Disable or Modify Cloud Logs"}]}}]}, {"name": "AWS IAM Privilege Escalation", "author": "Bhavin Patel, Splunk", "date": "2021-03-08", "version": 1, "id": "ced74200-8465-4bc3-bd2c-22782eec6750", "description": "This analytic story contains detections that query your AWS Cloudtrail for activities related to privilege escalation.", "narrative": "Amazon Web Services provides a neat feature called Identity and Access Management (IAM) that enables organizations to manage various AWS services and resources in a secure way. All IAM users have roles, groups and policies associated with them which governs and sets permissions to allow a user to access specific restrictions.\\\nHowever, if these IAM policies are misconfigured and have specific combinations of weak permissions; it can allow attackers to escalate their privileges and further compromise the organization. Rhino Security Labs have published comprehensive blogs detailing various AWS Escalation methods. By using this as an inspiration, Splunks research team wants to highlight how these attack vectors look in AWS Cloudtrail logs and provide you with detection queries to uncover these potentially malicious events via this Analytic Story. ", "references": ["https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", "https://www.cyberark.com/resources/threat-research-blog/the-cloud-shadow-admin-threat-10-permissions-to-protect", "https://labs.bishopfox.com/tech-blog/privilege-escalation-in-aws"], "tags": {"name": "AWS IAM Privilege Escalation", "analytic_story": "AWS IAM Privilege Escalation", "category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}, {"mitre_attack_id": "T1580", "mitre_attack_technique": "Cloud Infrastructure Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1069.003", "mitre_attack_technique": "Cloud Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "FIN13", "TA505"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Discovery", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": [], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - ASL AWS CreateAccessKey - Rule", "ESCU - ASL AWS IAM Delete Policy - Rule", "ESCU - ASL AWS Password Policy Changes - Rule", "ESCU - AWS Create Policy Version to allow all resources - Rule", "ESCU - AWS CreateAccessKey - Rule", "ESCU - AWS CreateLoginProfile - Rule", "ESCU - AWS IAM Assume Role Policy Brute Force - Rule", "ESCU - AWS IAM Delete Policy - Rule", "ESCU - AWS IAM Failure Group Deletion - Rule", "ESCU - AWS IAM Successful Group Deletion - Rule", "ESCU - AWS Password Policy Changes - Rule", "ESCU - AWS SetDefaultPolicyVersion - Rule", "ESCU - AWS UpdateLoginProfile - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "ASL AWS CreateAccessKey", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "ASL AWS IAM Delete Policy", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "ASL AWS Password Policy Changes", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Policy Discovery"}]}}, {"name": "AWS Create Policy Version to allow all resources", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "AWS CreateAccessKey", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "AWS CreateLoginProfile", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "AWS IAM Assume Role Policy Brute Force", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Infrastructure Discovery"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "AWS IAM Delete Policy", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "AWS IAM Failure Group Deletion", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "AWS IAM Successful Group Deletion", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Groups"}, {"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}}, {"name": "AWS Password Policy Changes", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Policy Discovery"}]}}, {"name": "AWS SetDefaultPolicyVersion", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "AWS UpdateLoginProfile", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}}]}, {"name": "AWS Identity and Access Management Account Takeover", "author": "Gowthamaraj Rajendran, Bhavin Patel,  Splunk", "date": "2022-08-19", "version": 2, "id": "4210b690-293f-411d-a9d8-bcfb2ea5fff9", "description": "Identify activity and techniques associated with accessing credential files from AWS resources, monitor unusual authentication related activities to the AWS Console and other services such as RDS.", "narrative": "Amazon Web Services provides a web service known as Identity and Access Management(IAM) for controlling and securly managing various AWS resources. This is basically the foundation of how users in AWS interact with various resources/services in cloud and vice versa. Account Takeover (ATO) is an attack whereby cybercriminals gain unauthorized access to online accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. Adversaries employ a variety of techniques to steal AWS Cloud credentials like account names, passwords and keys and takeover legitmate user accounts. Usage of legitimate keys will assist the attackers to gain access to other sensitive system and they can also mimic legitimate behaviour making them harder to be detected. Such activity may involve multiple failed login to the console, new console logins and password reset activities.", "references": ["https://attack.mitre.org/tactics/TA0006/"], "tags": {"name": "AWS Identity and Access Management Account Takeover", "analytic_story": "AWS Identity and Access Management Account Takeover", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1556.006", "mitre_attack_technique": "Multi-Factor Authentication", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.001", "mitre_attack_technique": "Password Guessing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}, {"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Discovery", "Initial Access", "Persistence", "Privilege Escalation", "Resource Development"], "datamodels": ["Authentication"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"]}, "detection_names": ["ESCU - ASL AWS Multi-Factor Authentication Disabled - Rule", "ESCU - ASL AWS New MFA Method Registered For User - Rule", "ESCU - AWS Console Login Failed During MFA Challenge - Rule", "ESCU - AWS Credential Access Failed Login - Rule", "ESCU - AWS Credential Access GetPasswordData - Rule", "ESCU - AWS Credential Access RDS Password reset - Rule", "ESCU - AWS High Number Of Failed Authentications For User - Rule", "ESCU - AWS High Number Of Failed Authentications From Ip - Rule", "ESCU - AWS Multi-Factor Authentication Disabled - Rule", "ESCU - AWS Multiple Failed MFA Requests For User - Rule", "ESCU - AWS Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - AWS New MFA Method Registered For User - Rule", "ESCU - AWS Successful Single-Factor Authentication - Rule", "ESCU - AWS Unusual Number of Failed Authentications From Ip - Rule", "ESCU - Detect AWS Console Login by New User - Rule", "ESCU - Detect AWS Console Login by User from New City - Rule", "ESCU - Detect AWS Console Login by User from New Country - Rule", "ESCU - Detect AWS Console Login by User from New Region - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Bhavin Patel,  Splunk", "author_name": "Gowthamaraj Rajendran", "detections": [{"name": "ASL AWS Multi-Factor Authentication Disabled", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}, {"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}}, {"name": "ASL AWS New MFA Method Registered For User", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}}, {"name": "AWS Console Login Failed During MFA Challenge", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}}, {"name": "AWS Credential Access Failed Login", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}]}}, {"name": "AWS Credential Access GetPasswordData", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}]}}, {"name": "AWS Credential Access RDS Password reset", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "AWS High Number Of Failed Authentications For User", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Policy Discovery"}]}}, {"name": "AWS High Number Of Failed Authentications From Ip", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}}, {"name": "AWS Multi-Factor Authentication Disabled", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}, {"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}}, {"name": "AWS Multiple Failed MFA Requests For User", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}}, {"name": "AWS Multiple Users Failing To Authenticate From Ip", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}}, {"name": "AWS New MFA Method Registered For User", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}}, {"name": "AWS Successful Single-Factor Authentication", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}]}}, {"name": "AWS Unusual Number of Failed Authentications From Ip", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}}, {"name": "Detect AWS Console Login by New User", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unsecured Credentials"}]}}, {"name": "Detect AWS Console Login by User from New City", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "Detect AWS Console Login by User from New Country", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "Detect AWS Console Login by User from New Region", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}]}, {"name": "AWS Network ACL Activity", "author": "Bhavin Patel, Splunk", "date": "2018-05-21", "version": 2, "id": "2e8948a5-5239-406b-b56b-6c50ff268af4", "description": "Monitor your AWS network infrastructure for bad configurations and malicious activity. Investigative searches help you probe deeper, when the facts warrant it.", "narrative": "AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational/risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. It is crucial for a company to monitor events and actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs to ensure that your servers are not vulnerable to attacks. This analytic story contains detection searches that leverage CloudTrail logs from AWS to check for bad configurations and malicious activity in your AWS network access controls.", "references": ["https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_NACLs.html", "https://aws.amazon.com/blogs/security/how-to-help-prepare-for-ddos-attacks-by-reducing-your-attack-surface/"], "tags": {"name": "AWS Network ACL Activity", "analytic_story": "AWS Network ACL Activity", "category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.007", "mitre_attack_technique": "Disable or Modify Cloud Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": [], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - AWS Network Access Control List Created with All Open Ports - Rule", "ESCU - AWS Network Access Control List Deleted - Rule", "ESCU - Detect Spike in blocked Outbound Traffic from your AWS - Rule", "ESCU - Detect Spike in Network ACL Activity - Rule"], "investigation_names": ["ESCU - AWS Investigate User Activities By ARN - Response Task", "ESCU - AWS Network ACL Details from ID - Response Task", "ESCU - AWS Network Interface details via resourceId - Response Task", "ESCU - Get All AWS Activity From IP Address - Response Task", "ESCU - Get DNS Server History for a host - Response Task", "ESCU - Get DNS traffic ratio - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Process Information For Port Activity - Response Task", "ESCU - Get Process Responsible For The DNS Traffic - Response Task"], "baseline_names": ["ESCU - Baseline of blocked outbound traffic from AWS", "ESCU - Baseline of Network ACL Activity by ARN"], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "AWS Network Access Control List Created with All Open Ports", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "AWS Network Access Control List Deleted", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Detect Spike in blocked Outbound Traffic from your AWS", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Detect Spike in Network ACL Activity", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}]}}]}, {"name": "AWS Security Hub Alerts", "author": "Bhavin Patel, Splunk", "date": "2020-08-04", "version": 1, "id": "2f2f610a-d64d-48c2-b57c-96722b49ab5a", "description": "This story is focused around detecting Security Hub alerts generated from AWS", "narrative": "AWS Security Hub collects and consolidates findings from AWS security services enabled in your environment, such as intrusion detection findings from Amazon GuardDuty, vulnerability scans from Amazon Inspector, S3 bucket policy findings from Amazon Macie, publicly accessible and cross-account resources from IAM Access Analyzer, and resources lacking WAF coverage from AWS Firewall Manager.", "references": ["https://aws.amazon.com/security-hub/features/"], "tags": {"name": "AWS Security Hub Alerts", "analytic_story": "AWS Security Hub Alerts", "category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Spike in AWS Security Hub Alerts for EC2 Instance - Rule", "ESCU - Detect Spike in AWS Security Hub Alerts for User - Rule"], "investigation_names": ["ESCU - AWS Investigate User Activities By ARN - Response Task", "ESCU - Get EC2 Instance Details by instanceId - Response Task", "ESCU - Get EC2 Launch Details - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect Spike in AWS Security Hub Alerts for EC2 Instance", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Detect Spike in AWS Security Hub Alerts for User", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "AWS User Monitoring", "author": "Bhavin Patel, Splunk", "date": "2018-03-12", "version": 1, "id": "2e8948a5-5239-406b-b56b-6c50f1269af3", "description": "Detect and investigate dormant user accounts for your AWS environment that have become active again. Because inactive and ad-hoc accounts are common attack targets, it's critical to enable governance within your environment.", "narrative": "It seems obvious that it is critical to monitor and control the users who have access to your cloud infrastructure. Nevertheless, it's all too common for enterprises to lose track of ad-hoc accounts, leaving their servers vulnerable to attack. In fact, this was the very oversight that led to Tesla's cryptojacking attack in February, 2018.\\\nIn addition to compromising the security of your data, when bad actors leverage your compute resources, it can incur monumental costs, since you will be billed for any new EC2 instances and increased bandwidth usage. \\\nFortunately, you can leverage Amazon Web Services (AWS) CloudTrail--a tool that helps you enable governance, compliance, and risk auditing of your AWS account--to give you increased visibility into your user and resource activity by recording AWS Management Console actions and API calls. You can identify which users and accounts called AWS, the source IP address from which the calls were made, and when the calls occurred.\\\nThe detection searches in this Analytic Story are designed to help you uncover AWS API activities from users not listed in the identity table, as well as similar activities from disabled accounts.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf", "https://redlock.io/blog/cryptojacking-tesla"], "tags": {"name": "AWS User Monitoring", "analytic_story": "AWS User Monitoring", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1526", "mitre_attack_technique": "Cloud Service Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}], "mitre_attack_tactics": ["Defense Evasion", "Discovery", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": [], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - ASL AWS Excessive Security Scanning - Rule", "ESCU - AWS Excessive Security Scanning - Rule", "ESCU - Detect API activity from users without MFA - Rule", "ESCU - Detect AWS API Activities From Unapproved Accounts - Rule", "ESCU - Detect new API calls from user roles - Rule", "ESCU - Detect Spike in AWS API Activity - Rule", "ESCU - Detect Spike in Security Group Activity - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Investigate AWS User Activities by user field - Response Task"], "baseline_names": ["ESCU - Baseline of Security Group Activity by ARN", "ESCU - Create a list of approved AWS service accounts", "ESCU - Baseline of API Calls per User ARN", "ESCU - Previously seen API call per user roles in CloudTrail"], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "ASL AWS Excessive Security Scanning", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Service Discovery"}]}}, {"name": "AWS Excessive Security Scanning", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Service Discovery"}]}}, {"name": "Detect API activity from users without MFA", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Detect AWS API Activities From Unapproved Accounts", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}]}}, {"name": "Detect new API calls from user roles", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}]}}, {"name": "Detect Spike in AWS API Activity", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}]}}, {"name": "Detect Spike in Security Group Activity", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}]}}]}, {"name": "Azorult", "author": "Teoderick Contreras, Splunk", "date": "2022-06-09", "version": 1, "id": "efed5343-4ac2-42b1-a16d-da2428d0ce94", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Azorult malware including firewall modification, icacl execution, spawning more process, botnet c2 communication, defense evasion and etc. The AZORULT malware was first discovered in 2016 to be an information stealer that steals browsing history, cookies, ID/passwords, cryptocurrency information and more. It can also be a downloader of other malware. A variant of this malware was able to create a new, hidden administrator account on the machine to set a registry key to establish a Remote Desktop Protocol (RDP) connection. Exploit kits such as Fallout Exploit Kit (EK) and phishing mails with social engineering technique are one of the major infection vectors of the AZORult malware. The current malspam and phishing emails use fake product order requests, invoice documents and payment information requests. This Trojan-Spyware connects to Command And Control (C&C) servers of attacker to send and receive information.", "narrative": "Adversaries may use this technique to maximize the impact on the target organization in operations where network wide availability interruption is the goal.", "references": ["https://success.trendmicro.com/dcx/s/solution/000146108-azorult-malware-information?language=en_US&sfdcIFrameOrigin=null", "https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"name": "Azorult", "analytic_story": "Azorult", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "Dragonfly", "FIN13", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT", "Wizard Spider"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}, {"mitre_attack_id": "T1564.001", "mitre_attack_technique": "Hidden Files and Directories", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "FIN13", "HAFNIUM", "Lazarus Group", "LuminousMoth", "Mustang Panda", "Rocke", "Transparent Tribe", "Tropic Trooper"]}, {"mitre_attack_id": "T1564", "mitre_attack_technique": "Hide Artifacts", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1531", "mitre_attack_technique": "Account Access Removal", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1222.001", "mitre_attack_technique": "Windows File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "FIN13", "TA505"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Magic Hound", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1590.005", "mitre_attack_technique": "IP Addresses", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["Andariel", "HAFNIUM", "Magic Hound"]}, {"mitre_attack_id": "T1590", "mitre_attack_technique": "Gather Victim Network Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["HAFNIUM"]}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1219", "mitre_attack_technique": "Remote Access Software", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Carbanak", "Cobalt Group", "DarkVishnya", "Evilnum", "FIN7", "GOLD SOUTHFIELD", "Kimsuky", "MuddyWater", "Mustang Panda", "RTM", "Sandworm Team", "TeamTNT", "Thrip"]}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Defense Evasion", "Discovery", "Execution", "Impact", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule", "ESCU - Allow Operation with Consent Admin - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - CHCP Command Execution - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Create local admin accounts using net exe - Rule", "ESCU - Detect Use of cmd exe to Launch Script Interpreters - Rule", "ESCU - Disable Defender BlockAtFirstSeen Feature - Rule", "ESCU - Disable Defender Enhanced Notification - Rule", "ESCU - Disable Defender Spynet Reporting - Rule", "ESCU - Disable Defender Submit Samples Consent Feature - Rule", "ESCU - Disable Show Hidden Files - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Excessive Attempt To Disable Services - Rule", "ESCU - Excessive Usage Of Cacls App - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Excessive Usage Of SC Service Utility - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Firewall Allowed Program Enable - Rule", "ESCU - Hide User Account From Sign-In Screen - Rule", "ESCU - Hiding Files And Directories With Attrib exe - Rule", "ESCU - Icacls Deny Command - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Net - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning MSHTA - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Windows Application Layer Protocol RMS Radmin Tool Namedpipe - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows Defender Exclusion Registry Entry - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows Gather Victim Network Info Through Ip Check Web Services - Rule", "ESCU - Windows Impair Defense Add Xml Applocker Rules - Rule", "ESCU - Windows Impair Defense Deny Security Software With Applocker - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Modify Registry Disable Toast Notifications - Rule", "ESCU - Windows Modify Registry Disable Win Defender Raw Write Notif - Rule", "ESCU - Windows Modify Registry Disable Windows Security Center Notif - Rule", "ESCU - Windows Modify Registry Disabling WER Settings - Rule", "ESCU - Windows Modify Registry DisAllow Windows App - Rule", "ESCU - Windows Modify Registry Regedit Silent Reg Import - Rule", "ESCU - Windows Modify Registry Suppress Win Defender Notif - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Windows Powershell Import Applocker Policy - Rule", "ESCU - Windows Remote Access Software RMS Registry - Rule", "ESCU - Windows Remote Service Rdpwinst Tool Execution - Rule", "ESCU - Windows Remote Services Allow Rdp In Firewall - Rule", "ESCU - Windows Remote Services Allow Remote Assistance - Rule", "ESCU - Windows Remote Services Rdp Enable - Rule", "ESCU - Windows Service Stop By Deletion - Rule", "ESCU - Windows Valid Account With Never Expires Password - Rule", "ESCU - Wmic NonInteractive App Uninstallation - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Allow Inbound Traffic By Firewall Rule Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "Allow Operation with Consent Admin", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Attempt To Stop Security Service", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "CHCP Command Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Create local admin accounts using net exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "Detect Use of cmd exe to Launch Script Interpreters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}]}}, {"name": "Disable Defender BlockAtFirstSeen Feature", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender Enhanced Notification", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender Spynet Reporting", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender Submit Samples Consent Feature", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Show Hidden Files", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hidden Files and Directories"}, {"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Hide Artifacts"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disabling Remote User Account Control", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Excessive Attempt To Disable Services", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Excessive Usage Of Cacls App", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Access Removal"}]}}, {"name": "Excessive Usage Of SC Service Utility", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Excessive Usage Of Taskkill", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Firewall Allowed Program Enable", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Hide User Account From Sign-In Screen", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Hiding Files And Directories With Attrib exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "Windows File and Directory Permissions Modification"}]}}, {"name": "Icacls Deny Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}}, {"name": "Network Connection Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning MSHTA", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Processes launching netsh", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Windows Application Layer Protocol RMS Radmin Tool Namedpipe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Application Layer Protocol"}]}}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "System Network Connections Discovery"}, {"mitre_attack_technique": "System Owner/User Discovery"}, {"mitre_attack_technique": "System Shutdown/Reboot"}, {"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows Defender Exclusion Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Gather Victim Network Info Through Ip Check Web Services", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "IP Addresses"}, {"mitre_attack_technique": "Gather Victim Network Information"}]}}, {"name": "Windows Impair Defense Add Xml Applocker Rules", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Impair Defense Deny Security Software With Applocker", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Malicious Link"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "Windows Modify Registry Disable Toast Notifications", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry Disable Win Defender Raw Write Notif", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry Disable Windows Security Center Notif", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry Disabling WER Settings", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry DisAllow Windows App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry Regedit Silent Reg Import", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry Suppress Win Defender Notif", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Windows Powershell Import Applocker Policy", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Remote Access Software RMS Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Access Software"}]}}, {"name": "Windows Remote Service Rdpwinst Tool Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "Windows Remote Services Allow Rdp In Firewall", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "Windows Remote Services Allow Remote Assistance", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "Windows Remote Services Rdp Enable", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "Windows Service Stop By Deletion", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Windows Valid Account With Never Expires Password", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Wmic NonInteractive App Uninstallation", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}]}, {"name": "Azure Active Directory Account Takeover", "author": "Mauricio Velazco, Splunk", "date": "2022-07-14", "version": 2, "id": "41514c46-7118-4eab-a9bb-f3bfa4e3bea9", "description": "Monitor for activities and techniques associated with Account Takover attacks against Azure Active Directory tenants.", "narrative": "Azure Active Directory (Azure AD) is Microsofts enterprise cloud-based identity and access management (IAM) service. Azure AD is the backbone of most of Azure services like Office 365. It can sync with on-premise Active Directory environments and provide authentication to other cloud-based systems via the OAuth protocol. According to Microsoft, Azure AD manages more than 1.2 billion identities and processes over 8 billion authentications per day. Account Takeover (ATO) is an attack whereby cybercriminals gain unauthorized access to online accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. By posing as the real user, cyber-criminals can change account details, send out phishing emails, steal financial information or sensitive data, or use any stolen information to access further accounts within the organization. This analytic storic groups detections that can help security operations teams identify the potential compromise of Azure Active Directory accounts.", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis", "https://azure.microsoft.com/en-us/services/active-directory/#overview", "https://attack.mitre.org/techniques/T1586/", "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-compare-azure-ad-to-ad", "https://www.imperva.com/learn/application-security/account-takeover-ato/", "https://www.varonis.com/blog/azure-active-directory", "https://www.barracuda.com/glossary/account-takeover"], "tags": {"name": "Azure Active Directory Account Takeover", "analytic_story": "Azure Active Directory Account Takeover", "category": ["Adversary Tactics", "Account Compromise", "Cloud Security", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1185", "mitre_attack_technique": "Browser Session Hijacking", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1528", "mitre_attack_technique": "Steal Application Access Token", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.002", "mitre_attack_technique": "Spearphishing Link", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1110.001", "mitre_attack_technique": "Password Guessing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1556.006", "mitre_attack_technique": "Multi-Factor Authentication", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}], "mitre_attack_tactics": ["Collection", "Credential Access", "Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation", "Resource Development"], "datamodels": ["Authentication", "Risk"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"]}, "detection_names": ["ESCU - Azure Active Directory High Risk Sign-in - Rule", "ESCU - Azure AD Authentication Failed During MFA Challenge - Rule", "ESCU - Azure AD Block User Consent For Risky Apps Disabled - Rule", "ESCU - Azure AD Concurrent Sessions From Different Ips - Rule", "ESCU - Azure AD Device Code Authentication - Rule", "ESCU - Azure AD High Number Of Failed Authentications For User - Rule", "ESCU - Azure AD High Number Of Failed Authentications From Ip - Rule", "ESCU - Azure AD Multi-Factor Authentication Disabled - Rule", "ESCU - Azure AD Multi-Source Failed Authentications Spike - Rule", "ESCU - Azure AD Multiple AppIDs and UserAgents Authentication Spike - Rule", "ESCU - Azure AD Multiple Denied MFA Requests For User - Rule", "ESCU - Azure AD Multiple Failed MFA Requests For User - Rule", "ESCU - Azure AD Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - Azure AD New MFA Method Registered For User - Rule", "ESCU - Azure AD OAuth Application Consent Granted By User - Rule", "ESCU - Azure AD Successful Authentication From Different Ips - Rule", "ESCU - Azure AD Successful PowerShell Authentication - Rule", "ESCU - Azure AD Successful Single-Factor Authentication - Rule", "ESCU - Azure AD Unusual Number of Failed Authentications From Ip - Rule", "ESCU - Azure AD User Consent Blocked for Risky Application - Rule", "ESCU - Azure AD User Consent Denied for OAuth Application - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Azure Active Directory High Risk Sign-in", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}]}}, {"name": "Azure AD Authentication Failed During MFA Challenge", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}}, {"name": "Azure AD Block User Consent For Risky Apps Disabled", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Azure AD Concurrent Sessions From Different Ips", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Browser Session Hijacking"}]}}, {"name": "Azure AD Device Code Authentication", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal Application Access Token"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Link"}]}}, {"name": "Azure AD High Number Of Failed Authentications For User", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}]}}, {"name": "Azure AD High Number Of Failed Authentications From Ip", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}, {"mitre_attack_technique": "Password Spraying"}]}}, {"name": "Azure AD Multi-Factor Authentication Disabled", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}}, {"name": "Azure AD Multi-Source Failed Authentications Spike", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}}, {"name": "Azure AD Multiple AppIDs and UserAgents Authentication Spike", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Azure AD Multiple Denied MFA Requests For User", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}}, {"name": "Azure AD Multiple Failed MFA Requests For User", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}]}}, {"name": "Azure AD Multiple Users Failing To Authenticate From Ip", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}}, {"name": "Azure AD New MFA Method Registered For User", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}}, {"name": "Azure AD OAuth Application Consent Granted By User", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal Application Access Token"}]}}, {"name": "Azure AD Successful Authentication From Different Ips", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}, {"mitre_attack_technique": "Password Spraying"}]}}, {"name": "Azure AD Successful PowerShell Authentication", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}]}}, {"name": "Azure AD Successful Single-Factor Authentication", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}]}}, {"name": "Azure AD Unusual Number of Failed Authentications From Ip", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}}, {"name": "Azure AD User Consent Blocked for Risky Application", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal Application Access Token"}]}}, {"name": "Azure AD User Consent Denied for OAuth Application", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal Application Access Token"}]}}]}, {"name": "Azure Active Directory Persistence", "author": "Mauricio Velazco, Splunk", "date": "2022-08-17", "version": 1, "id": "dca983db-6334-4a0d-be32-80611ca1396c", "description": "Monitor for activities and techniques associated with the execution of Persistence techniques against Azure Active Directory tenants.", "narrative": "Azure Active Directory (Azure AD) is Microsofts enterprise cloud-based identity and access management (IAM) service. Azure AD is the backbone of most of Azure services like Office 365. It can sync with on-premise Active Directory environments and provide authentication to other cloud-based systems via the OAuth protocol. According to Microsoft, Azure AD manages more than 1.2 billion identities and processes over 8 billion authentications per day.\\ Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. This analytic storic groups detections that can help security operations teams identify the potential execution of Persistence techniques targeting Azure Active Directory tenants. ", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis", "https://azure.microsoft.com/en-us/services/active-directory/#overview", "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-compare-azure-ad-to-ad", "https://attack.mitre.org/tactics/TA0003/", "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/Persistence/"], "tags": {"name": "Azure Active Directory Persistence", "analytic_story": "Azure Active Directory Persistence", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1098.003", "mitre_attack_technique": "Additional Cloud Roles", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1484", "mitre_attack_technique": "Domain Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1484.002", "mitre_attack_technique": "Domain Trust Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1098.005", "mitre_attack_technique": "Device Registration", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1098.001", "mitre_attack_technique": "Additional Cloud Credentials", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}], "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Authentication"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Azure AD External Guest User Invited - Rule", "ESCU - Azure AD Global Administrator Role Assigned - Rule", "ESCU - Azure AD New Custom Domain Added - Rule", "ESCU - Azure AD New Federated Domain Added - Rule", "ESCU - Azure AD New MFA Method Registered - Rule", "ESCU - Azure AD PIM Role Assigned - Rule", "ESCU - Azure AD PIM Role Assignment Activated - Rule", "ESCU - Azure AD Privileged Role Assigned - Rule", "ESCU - Azure AD Service Principal Created - Rule", "ESCU - Azure AD Service Principal New Client Credentials - Rule", "ESCU - Azure AD Service Principal Owner Added - Rule", "ESCU - Azure AD Tenant Wide Admin Consent Granted - Rule", "ESCU - Azure AD User Enabled And Password Reset - Rule", "ESCU - Azure AD User ImmutableId Attribute Updated - Rule", "ESCU - Azure Automation Account Created - Rule", "ESCU - Azure Automation Runbook Created - Rule", "ESCU - Azure Runbook Webhook Created - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Azure AD External Guest User Invited", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Account"}]}}, {"name": "Azure AD Global Administrator Role Assigned", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Additional Cloud Roles"}]}}, {"name": "Azure AD New Custom Domain Added", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Policy Modification"}, {"mitre_attack_technique": "Domain Trust Modification"}]}}, {"name": "Azure AD New Federated Domain Added", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Policy Modification"}, {"mitre_attack_technique": "Domain Trust Modification"}]}}, {"name": "Azure AD New MFA Method Registered", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Device Registration"}]}}, {"name": "Azure AD PIM Role Assigned", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}}, {"name": "Azure AD PIM Role Assignment Activated", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}}, {"name": "Azure AD Privileged Role Assigned", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}}, {"name": "Azure AD Service Principal Created", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Account"}]}}, {"name": "Azure AD Service Principal New Client Credentials", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Credentials"}]}}, {"name": "Azure AD Service Principal Owner Added", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Azure AD Tenant Wide Admin Consent Granted", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}}, {"name": "Azure AD User Enabled And Password Reset", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Azure AD User ImmutableId Attribute Updated", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Azure Automation Account Created", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create Account"}, {"mitre_attack_technique": "Cloud Account"}]}}, {"name": "Azure Automation Runbook Created", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create Account"}, {"mitre_attack_technique": "Cloud Account"}]}}, {"name": "Azure Runbook Webhook Created", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}]}}]}, {"name": "Azure Active Directory Privilege Escalation", "author": "Mauricio Velazco, Splunk", "date": "2023-04-24", "version": 1, "id": "ec78e872-b79c-417d-b256-8fde902522fb", "description": "Monitor for activities and techniques associated with Privilege Escalation attacks within Azure Active Directory tenants.", "narrative": "Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations or vulnerabilities.\\\nAzure Active Directory (Azure AD) is Microsofts enterprise cloud-based identity and access management (IAM) service. Azure AD is the backbone of most of Azure services like Office 365 and Microsoft Teams. It can sync with on-premise Active Directory environments and provide authentication to other cloud-based systems via the OAuth protocol. According to Microsoft, Azure AD manages more than 1.2 billion identities and processes over 8 billion authentications per day.\\\nPrivilege escalation attacks in Azure AD typically involve abusing  misconfigurations to gain elevated privileges, such as Global Administrator access. Once an attacker has escalated their privileges and taken full control of a tenant, they may abuse every service that leverages Azure AD including moving laterally to Azure virtual machines to access sensitive data and carry out further attacks. Security teams should monitor for privilege escalation attacks in Azure Active Directory to identify breaches before attackers achieve operational success.\\\nThe following analytic story groups detection opportunities that seek to identify an adversary attempting to escalate privileges in Azure AD tenants.", "references": ["https://attack.mitre.org/tactics/TA0003/", "https://cloudbrothers.info/en/azure-attack-paths/", "https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/PrivEsc/", "https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5"], "tags": {"name": "Azure Active Directory Privilege Escalation", "analytic_story": "Azure Active Directory Privilege Escalation", "category": ["Adversary Tactics", "Account Compromise", "Cloud Security", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1098.003", "mitre_attack_technique": "Additional Cloud Roles", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1098.001", "mitre_attack_technique": "Additional Cloud Credentials", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Credential Access", "Persistence", "Privilege Escalation"], "datamodels": ["Authentication"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Azure AD Application Administrator Role Assigned - Rule", "ESCU - Azure AD Global Administrator Role Assigned - Rule", "ESCU - Azure AD PIM Role Assigned - Rule", "ESCU - Azure AD PIM Role Assignment Activated - Rule", "ESCU - Azure AD Privileged Authentication Administrator Role Assigned - Rule", "ESCU - Azure AD Privileged Role Assigned to Service Principal - Rule", "ESCU - Azure AD Service Principal New Client Credentials - Rule", "ESCU - Azure AD Service Principal Owner Added - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Azure AD Application Administrator Role Assigned", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}}, {"name": "Azure AD Global Administrator Role Assigned", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Additional Cloud Roles"}]}}, {"name": "Azure AD PIM Role Assigned", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}}, {"name": "Azure AD PIM Role Assignment Activated", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}}, {"name": "Azure AD Privileged Authentication Administrator Role Assigned", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}]}}, {"name": "Azure AD Privileged Role Assigned to Service Principal", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}}, {"name": "Azure AD Service Principal New Client Credentials", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Credentials"}]}}, {"name": "Azure AD Service Principal Owner Added", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}]}}]}, {"name": "Baron Samedit CVE-2021-3156", "author": "Shannon Davis, Splunk", "date": "2021-01-27", "version": 1, "id": "817b0dfc-23ba-4bcc-96cc-2cb77e428fbe", "description": "Uncover activity consistent with CVE-2021-3156. Discovered by the Qualys Research Team, this vulnerability has been found to affect sudo across multiple Linux distributions (Ubuntu 20.04 and prior, Debian 10 and prior, Fedora 33 and prior). As this vulnerability was committed to code in July 2011, there will be many distributions affected. Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host.", "narrative": "A non-privledged user is able to execute the sudoedit command to trigger a buffer overflow. After the successful buffer overflow, they are then able to gain root privileges on the affected host. The conditions needed to be run are a trailing \"\\\" along with shell and edit flags. Monitoring the /var/log directory on Linux hosts using the Splunk Universal Forwarder will allow you to pick up this behavior when using the provided detection.", "references": ["https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit"], "tags": {"name": "Baron Samedit CVE-2021-3156", "analytic_story": "Baron Samedit CVE-2021-3156", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Privilege Escalation"], "datamodels": [], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Detect Baron Samedit CVE-2021-3156 - Rule", "ESCU - Detect Baron Samedit CVE-2021-3156 Segfault - Rule", "ESCU - Detect Baron Samedit CVE-2021-3156 via OSQuery - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Shannon Davis", "detections": [{"name": "Detect Baron Samedit CVE-2021-3156", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "Detect Baron Samedit CVE-2021-3156 Segfault", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "Detect Baron Samedit CVE-2021-3156 via OSQuery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}]}, {"name": "BishopFox Sliver Adversary Emulation Framework", "author": "Michael Haag, Splunk", "date": "2023-01-24", "version": 1, "id": "8c2e2cba-3fd8-424f-a890-5080bdaf3f31", "description": "The following analytic story providers visibility into the latest adversary TTPs in regard to the use of Sliver. Sliver has gained more traction with adversaries as it is often seen as an alternative to Cobalt Strike. It is designed to be scalable and can be used by organizations of all sizes to perform security testing. Sliver is highly modular and contains an Extension package manager (armory) allowing easy install (automatic compilation) of various 3rd party tools such as BOFs and .NET tooling like Ghostpack (Rubeus, Seatbelt, SharpUp, Certify, and so forth) (CyberReason,2023).", "narrative": "Sliver is an open source cross-platform adversary emulation/red team framework produced by BishopFox.", "references": ["https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors", "https://www.ncsc.gov.uk/files/Advisory%20Further%20TTPs%20associated%20with%20SVR%20cyber%20actors.pdf", "https://www.proofpoint.com/uk/blog/security-briefs/ta551-uses-sliver-red-team-tool-new-activity", "https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control", "https://github.com/sliverarmory/armory", "https://github.com/BishopFox/sliver"], "tags": {"name": "BishopFox Sliver Adversary Emulation Framework", "analytic_story": "BishopFox Sliver Adversary Emulation Framework", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1055.002", "mitre_attack_technique": "Portable Executable Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Gorgon Group", "Rocke"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Notepad with no Command Line Arguments - Rule", "ESCU - Windows Process Injection into Notepad - Rule", "ESCU - Windows Service Create SliverC2 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Notepad with no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Windows Process Injection into Notepad", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Portable Executable Injection"}]}}, {"name": "Windows Service Create SliverC2", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}]}, {"name": "BITS Jobs", "author": "Michael Haag, Splunk", "date": "2021-03-26", "version": 1, "id": "dbc7edce-8e4c-11eb-9f31-acde48001122", "description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.", "narrative": "Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM). BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations. The interface to create and manage BITS jobs is accessible through PowerShell and the BITSAdmin tool. Adversaries may abuse BITS to download, execute, and even clean up after running malicious code. BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls. BITS enabled execution may also enable persistence by creating long-standing jobs (the default maximum lifetime is 90 days and extendable) or invoking an arbitrary program when a job completes or errors (including after system reboots).", "references": ["https://attack.mitre.org/techniques/T1197/", "https://docs.microsoft.com/en-us/windows/win32/bits/bitsadmin-tool"], "tags": {"name": "BITS Jobs", "analytic_story": "BITS Jobs", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1197", "mitre_attack_technique": "BITS Jobs", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["APT39", "APT41", "Leviathan", "Patchwork", "Wizard Spider"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}], "mitre_attack_tactics": ["Command And Control", "Defense Evasion", "Persistence"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command And Control", "Exploitation", "Installation"]}, "detection_names": ["ESCU - BITS Job Persistence - Rule", "ESCU - BITSAdmin Download File - Rule", "ESCU - PowerShell Start-BitsTransfer - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "BITS Job Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "BITS Jobs"}]}}, {"name": "BITSAdmin Download File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "BITS Jobs"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "PowerShell Start-BitsTransfer", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "BITS Jobs"}]}}]}, {"name": "BlackByte Ransomware", "author": "Teoderick Contreras, Splunk", "date": "2023-07-10", "version": 1, "id": "b18259ac-0746-45d7-bd1f-81d65274a80b", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the BlackByte ransomware, including looking for file writes associated with BlackByte, persistence, initial access, account registry modification and more.", "narrative": "BlackByte ransomware campaigns targeting business operations, involve the use of ransomware payloads, infection chain to collect and exfiltrate data and drop payload on the targeted system. BlackByte Ransomware operates by infiltrating a system through various methods, such as malicious email attachments, exploit kits, or compromised websites. Once inside a system, it begins encrypting files using strong encryption algorithms, rendering them unusable. After completing the encryption process, BlackByte Ransomware typically leaves a ransom note that explains the situation to the victim and provides instructions on how to pay the ransom to obtain the decryption key.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/"], "tags": {"name": "BlackByte Ransomware", "analytic_story": "BlackByte Ransomware", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.007", "mitre_attack_technique": "Disable or Modify Cloud Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN13", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "TA505"]}, {"mitre_attack_id": "T1497", "mitre_attack_technique": "Virtualization/Sandbox Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": ["Darkhotel"]}, {"mitre_attack_id": "T1497.003", "mitre_attack_technique": "Time Based Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1127.001", "mitre_attack_technique": "MSBuild", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1014", "mitre_attack_technique": "Rootkit", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT41", "Rocke", "TeamTNT", "Winnti Group"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1561.002", "mitre_attack_technique": "Disk Structure Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1561", "mitre_attack_technique": "Disk Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1563.002", "mitre_attack_technique": "RDP Hijacking", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Axiom"]}], "mitre_attack_tactics": ["Collection", "Defense Evasion", "Discovery", "Execution", "Impact", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Network_Traffic", "Risk", "Web"], "kill_chain_phases": ["Actions on Objectives", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Allow File And Printing Sharing In Firewall - Rule", "ESCU - Allow Network Discovery In Firewall - Rule", "ESCU - Anomalous usage of 7zip - Rule", "ESCU - CMD Echo Pipe - Escalation - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Detect Exchange Web Shell - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Regsvr32 Application Control Bypass - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Disabling Firewall with Netsh - Rule", "ESCU - DLLHost with no Command Line Arguments with Network - Rule", "ESCU - Excessive File Deletion In WinDefender Folder - Rule", "ESCU - Excessive Service Stop Attempt - Rule", "ESCU - Exchange PowerShell Abuse via SSRF - Rule", "ESCU - Exchange PowerShell Module Usage - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Firewall Allowed Program Enable - Rule", "ESCU - GPUpdate with no Command Line Arguments with Network - Rule", "ESCU - High Process Termination Frequency - Rule", "ESCU - MS Exchange Mailbox Replication service writing Active Server Pages - Rule", "ESCU - Ping Sleep Batch Command - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Resize ShadowStorage volume - Rule", "ESCU - Rundll32 with no Command Line Arguments with Network - Rule", "ESCU - SearchProtocolHost with no Command Line with Network - Rule", "ESCU - Services Escalate Exe - Rule", "ESCU - Suspicious DLLHost no Command Line Arguments - Rule", "ESCU - Suspicious Driver Loaded Path - Rule", "ESCU - Suspicious GPUpdate no Command Line Arguments - Rule", "ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", "ESCU - Suspicious Rundll32 StartW - Rule", "ESCU - Suspicious SearchProtocolHost no Command Line Arguments - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows Driver Load Non-Standard Path - Rule", "ESCU - Windows Drivers Loaded by Signature - Rule", "ESCU - Windows Modify Registry EnableLinkedConnections - Rule", "ESCU - Windows Modify Registry LongPathsEnabled - Rule", "ESCU - Windows MSExchange Management Mailbox Cmdlet Usage - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Windows RDP Connection Successful - Rule", "ESCU - Windows Vulnerable Driver Loaded - Rule", "ESCU - ProxyShell ProxyNotShell Behavior Detected - Rule", "ESCU - Windows Exchange Autodiscover SSRF Abuse - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Allow File And Printing Sharing In Firewall", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Allow Network Discovery In Firewall", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Anomalous usage of 7zip", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}}, {"name": "CMD Echo Pipe - Escalation", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Cobalt Strike Named Pipes", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Detect Exchange Web Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Detect Regsvr32 Application Control Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}, {"name": "Disabling Firewall with Netsh", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "DLLHost with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Excessive File Deletion In WinDefender Folder", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Excessive Service Stop Attempt", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Exchange PowerShell Abuse via SSRF", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Exchange PowerShell Module Usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Firewall Allowed Program Enable", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "GPUpdate with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "High Process Termination Frequency", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}}, {"name": "MS Exchange Mailbox Replication service writing Active Server Pages", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Ping Sleep Batch Command", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Virtualization/Sandbox Evasion"}, {"mitre_attack_technique": "Time Based Evasion"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Resize ShadowStorage volume", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Rundll32 with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "SearchProtocolHost with no Command Line with Network", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Services Escalate Exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Suspicious DLLHost no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Suspicious Driver Loaded Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious GPUpdate no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Suspicious microsoft workflow compiler rename", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Suspicious msbuild path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}}, {"name": "Suspicious MSBuild Rename", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious Rundll32 no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Suspicious Rundll32 StartW", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Suspicious SearchProtocolHost no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}, {"name": "Windows Driver Load Non-Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rootkit"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "Windows Drivers Loaded by Signature", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rootkit"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "Windows Modify Registry EnableLinkedConnections", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry LongPathsEnabled", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows MSExchange Management Mailbox Cmdlet Usage", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}}, {"name": "Windows RDP Connection Successful", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "RDP Hijacking"}]}}, {"name": "Windows Vulnerable Driver Loaded", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}]}}, {"name": "ProxyShell ProxyNotShell Behavior Detected", "source": "web", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Windows Exchange Autodiscover SSRF Abuse", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}]}, {"name": "BlackLotus Campaign", "author": "Michael Haag, Splunk", "date": "2023-04-14", "version": 1, "id": "8eb0e418-a2b6-4327-a387-85c976662c8f", "description": "The first in-the-wild UEFI bootkit bypassing UEFI Secure Boot on fully updated UEFI systems is now a reality", "narrative": "The number of UEFI vulnerabilities discovered in recent years and the failures in patching them or revoking vulnerable binaries within a reasonable time window hasn't gone unnoticed by threat actors. As a result, the first publicly known UEFI bootkit bypassing the essential platform security feature  UEFI Secure Boot  is now a reality. present the first public analysis of this UEFI bootkit, which is capable of running on even fully-up-to-date Windows 11 systems with UEFI Secure Boot enabled. Functionality of the bootkit and its individual features leads us to believe that we are dealing with a bootkit known as BlackLotus, the UEFI bootkit being sold on hacking forums for $5,000 since at least October 2022. (ESET, 2023) The following content aims to aid defenders in detecting suspicious bootloaders and understanding the diverse techniques employed in this campaign.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/", "https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/"], "tags": {"name": "BlackLotus Campaign", "analytic_story": "BlackLotus Campaign", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1542.001", "mitre_attack_technique": "System Firmware", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1542", "mitre_attack_technique": "Pre-OS Boot", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1542.003", "mitre_attack_technique": "Bootkit", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["APT28", "APT41", "Lazarus Group"]}], "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Windows BootLoader Inventory - Rule", "ESCU - Windows Impair Defenses Disable HVCI - Rule", "ESCU - Windows WinLogon with Public Network Connection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows BootLoader Inventory", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Firmware"}, {"mitre_attack_technique": "Pre-OS Boot"}]}}, {"name": "Windows Impair Defenses Disable HVCI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows WinLogon with Public Network Connection", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bootkit"}]}}]}, {"name": "Brand Monitoring", "author": "David Dorsey, Splunk", "date": "2017-12-19", "version": 1, "id": "91c676cf-0b23-438d-abee-f6335e1fce78", "description": "Detect and investigate activity that may indicate that an adversary is using faux domains to mislead users into interacting with malicious infrastructure. Monitor DNS, email, and web traffic for permutations of your brand name.", "narrative": "While you can educate your users and customers about the risks and threats posed by typosquatting, phishing, and corporate espionage, human error is a persistent fact of life. Of course, your adversaries are all too aware of this reality and will happily leverage it for nefarious purposes whenever possible&#51;phishing with lookalike addresses, embedding faux command-and-control domains in malware, and hosting malicious content on domains that closely mimic your corporate servers. This is where brand monitoring comes in.\\\nYou can use our adaptation of `DNSTwist`, together with the support searches in this Analytic Story, to generate permutations of specified brands and external domains. Splunk can monitor email, DNS requests, and web traffic for these permutations and provide you with early warnings and situational awareness--powerful elements of an effective defense.\\\nNotable events will include IP addresses, URLs, and user data. Drilling down can provide you with even more actionable intelligence, including likely geographic information, contextual searches to help you scope the problem, and investigative searches.", "references": ["https://www.zerofox.com/blog/what-is-digital-risk-monitoring/", "https://securingtomorrow.mcafee.com/consumer/family-safety/what-is-typosquatting/", "https://blog.malwarebytes.com/cybercrime/2016/06/explained-typosquatting/"], "tags": {"name": "Brand Monitoring", "analytic_story": "Brand Monitoring", "category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Email", "Network_Resolution", "Web"], "kill_chain_phases": []}, "detection_names": ["ESCU - Monitor Email For Brand Abuse - Rule", "ESCU - Monitor DNS For Brand Abuse - Rule", "ESCU - Monitor Web Traffic For Brand Abuse - Rule"], "investigation_names": ["ESCU - Get Email Info - Response Task", "ESCU - Get Emails From Specific Sender - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Process Responsible For The DNS Traffic - Response Task"], "baseline_names": ["ESCU - DNSTwist Domain Names"], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Monitor Email For Brand Abuse", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "Monitor DNS For Brand Abuse", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "Monitor Web Traffic For Brand Abuse", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "Brute Ratel C4", "author": "Teoderick Contreras, Splunk", "date": "2022-08-23", "version": 1, "id": "0ec9dbfe-f64e-46bb-8eb8-04e92326f513", "description": "Leverage searches that allow you to detect and investigate unusual activities that may be related to Brute Ratel Red Teaming tool. This includes creation, modification and deletion of services, collection or data, ping IP, DNS cache, process injection, debug privileges adjustment, winlogon process duplicate token, lock workstation, get clipboard or screenshot and much more.", "narrative": "Brute RATEL BRC4 is the latest red-teaming tool that simulate several TTP's. It uses several techniques like syscall, patching ETW/AMSI and written in native C to minimize noise in process command-line. This tool was seen in the wild being abused by some ransomware (blackcat) and adversaries in their campaigns to install the BRC4 agent that can serve as remote admin tool to compromise the target host or network.", "references": ["https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/", "https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/"], "tags": {"name": "Brute Ratel C4", "analytic_story": "Brute Ratel C4", "category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1491", "mitre_attack_technique": "Defacement", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1134.002", "mitre_attack_technique": "Create Process with Token", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Lazarus Group", "Turla"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1134.001", "mitre_attack_technique": "Token Impersonation/Theft", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "FIN8"]}, {"mitre_attack_id": "T1589.001", "mitre_attack_technique": "Credentials", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["APT28", "Chimera", "LAPSUS$", "Leviathan", "Magic Hound"]}, {"mitre_attack_id": "T1589", "mitre_attack_technique": "Gather Victim Identity Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["APT32", "FIN13", "HEXANE", "LAPSUS$", "Magic Hound"]}, {"mitre_attack_id": "T1574.001", "mitre_attack_technique": "DLL Search Order Hijacking", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT41", "Aquatic Panda", "BackdoorDiplomacy", "Evilnum", "RTM", "Threat Group-3390", "Tonto Team", "Whitefly", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1056.002", "mitre_attack_technique": "GUI Input Capture", "mitre_attack_tactics": ["Collection", "Credential Access"], "mitre_attack_groups": ["FIN4"]}, {"mitre_attack_id": "T1056", "mitre_attack_technique": "Input Capture", "mitre_attack_tactics": ["Collection", "Credential Access"], "mitre_attack_groups": ["APT39"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1055.002", "mitre_attack_technique": "Portable Executable Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Gorgon Group", "Rocke"]}, {"mitre_attack_id": "T1219", "mitre_attack_technique": "Remote Access Software", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Carbanak", "Cobalt Group", "DarkVishnya", "Evilnum", "FIN7", "GOLD SOUTHFIELD", "Kimsuky", "MuddyWater", "Mustang Panda", "RTM", "Sandworm Team", "TeamTNT", "Thrip"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}], "mitre_attack_tactics": ["Collection", "Command And Control", "Credential Access", "Defense Evasion", "Execution", "Impact", "Initial Access", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Access Token Manipulation SeDebugPrivilege - Rule", "ESCU - Windows Access Token Manipulation Winlogon Duplicate Token Handle - Rule", "ESCU - Windows Access Token Winlogon Duplicate Handle In Uncommon Path - Rule", "ESCU - Windows Defacement Modify Transcodedwallpaper File - Rule", "ESCU - Windows Gather Victim Identity SAM Info - Rule", "ESCU - Windows Hijack Execution Flow Version Dll Side Load - Rule", "ESCU - Windows Input Capture Using Credential UI Dll - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Windows Process Injection With Public Source Path - Rule", "ESCU - Windows Remote Access Software BRC4 Loaded Dll - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - Windows Service Deletion In Registry - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Defacement"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Windows Access Token Manipulation SeDebugPrivilege", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create Process with Token"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}, {"name": "Windows Access Token Manipulation Winlogon Duplicate Token Handle", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Token Impersonation/Theft"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}, {"name": "Windows Access Token Winlogon Duplicate Handle In Uncommon Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Token Impersonation/Theft"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}, {"name": "Windows Defacement Modify Transcodedwallpaper File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Defacement"}]}}, {"name": "Windows Gather Victim Identity SAM Info", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials"}, {"mitre_attack_technique": "Gather Victim Identity Information"}]}}, {"name": "Windows Hijack Execution Flow Version Dll Side Load", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Search Order Hijacking"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Windows Input Capture Using Credential UI Dll", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "GUI Input Capture"}, {"mitre_attack_technique": "Input Capture"}]}}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Malicious Link"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Windows Process Injection With Public Source Path", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Portable Executable Injection"}]}}, {"name": "Windows Remote Access Software BRC4 Loaded Dll", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Access Software"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}]}}, {"name": "Windows Service Deletion In Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}]}, {"name": "Caddy Wiper", "author": "Teoderick Contreras, Rod Soto, Splunk", "date": "2022-03-25", "version": 1, "id": "435a156a-8ef1-4184-bd52-22328fb65d3a", "description": "Caddy Wiper is a destructive payload that detects if its running on a Domain Controller and executes killswitch if detected. If not in a DC it destroys Users and subsequent mapped drives. This wiper also destroys drive partitions inculding boot partitions.", "narrative": "Caddy Wiper is destructive malware operation found by ESET multiple organizations in Ukraine. This malicious payload destroys user files, avoids executing on Dnomain Controllers and destroys boot and drive partitions.", "references": ["https://twitter.com/ESETresearch/status/1503436420886712321", "https://www.welivesecurity.com/2022/03/15/caddywiper-new-wiper-malware-discovered-ukraine/"], "tags": {"name": "Caddy Wiper", "analytic_story": "Caddy Wiper", "category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1561.002", "mitre_attack_technique": "Disk Structure Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1561", "mitre_attack_technique": "Disk Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Impact"], "datamodels": [], "kill_chain_phases": ["Actions on Objectives"]}, "detection_names": ["ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto, Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}}]}, {"name": "CISA AA22-257A", "author": "Michael Haag, Splunk", "date": "2022-09-15", "version": 1, "id": "e1aec96e-bc7d-4edf-8ff7-3da9b7b29147", "description": "The Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian organizations.", "narrative": "This advisory updates joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities, which provides information on these Iranian government-sponsored APT actors exploiting known Fortinet and Microsoft Exchange vulnerabilities to gain initial access to a broad range of targeted entities in furtherance of malicious activities, including ransom operations. The authoring agencies now judge these actors are an APT group affiliated with the IRGC. Since the initial reporting of this activity in the FBI Liaison Alert System (FLASH) report APT Actors Exploiting Fortinet Vulnerabilities to Gain Access for Malicious Activity from May 2021, the authoring agencies have continued to observe these IRGC-affiliated actors exploiting known vulnerabilities for initial access. In addition to exploiting Fortinet and Microsoft Exchange vulnerabilities, the authoring agencies have observed these APT actors exploiting VMware Horizon Log4j vulnerabilities for initial access. The IRGC-affiliated actors have used this access for follow-on activity, including disk encryption and data extortion, to support ransom operations. The IRGC-affiliated actors are actively targeting a broad range of entities, including entities across multiple U.S. critical infrastructure sectors as well as Australian, Canadian, and United Kingdom organizations. These actors often operate under the auspices of Najee Technology Hooshmand Fater LLC, based in Karaj, Iran, and Afkar System Yazd Company, based in Yazd, Iran. The authoring agencies assess the actors are exploiting known vulnerabilities on unprotected networks rather than targeting specific targeted entities or sectors. This advisory provides observed tactics, techniques, and indicators of compromise (IOCs) that the authoring agencies assess are likely associated with this IRGC-affiliated APT. The authoring agencies urge organizations, especially critical infrastructure organizations, to apply the recommendations listed in the Mitigations section of this advisory to mitigate risk of compromise from these IRGC-affiliated cyber actors.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa21-321a", "https://www.cisa.gov/uscert/ncas/alerts/aa22-257a", "https://www.ic3.gov/Media/News/2021/210527.pdf", "https://www.us-cert.gov/sites/default/files/AA22-257A.stix.xml", "https://www.us-cert.cisa.gov/iran"], "tags": {"name": "CISA AA22-257A", "analytic_story": "CISA AA22-257A", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "Dragonfly", "FIN13", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT", "Wizard Spider"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1572", "mitre_attack_technique": "Protocol Tunneling", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Chimera", "Cobalt Group", "FIN13", "FIN6", "Fox Kitten", "Leviathan", "Magic Hound", "OilRig"]}, {"mitre_attack_id": "T1021.004", "mitre_attack_technique": "SSH", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT39", "BlackTech", "FIN13", "FIN7", "Fox Kitten", "GCMAN", "Lazarus Group", "Leviathan", "OilRig", "Rocke", "TEMP.Veles", "TeamTNT", "menuPass"]}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Execution", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Web"], "kill_chain_phases": ["Command And Control", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Dump LSASS via procdump Rename - Rule", "ESCU - Create local admin accounts using net exe - Rule", "ESCU - Creation of lsass Dump with Taskmgr - Rule", "ESCU - Detect Exchange Web Shell - Rule", "ESCU - Detect New Local Admin account - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Dump LSASS via procdump - Rule", "ESCU - Extraction of Registry Hives - Rule", "ESCU - Randomly Generated Scheduled Task Name - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Short Lived Scheduled Task - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows Hidden Schedule Task Settings - Rule", "ESCU - Windows Possible Credential Dumping - Rule", "ESCU - Windows Protocol Tunneling with Plink - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule", "ESCU - Log4Shell JNDI Payload Injection Attempt - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Dump LSASS via procdump Rename", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}]}}, {"name": "Create local admin accounts using net exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "Creation of lsass Dump with Taskmgr", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Detect Exchange Web Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Detect New Local Admin account", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Dump LSASS via procdump", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Extraction of Registry Hives", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Randomly Generated Scheduled Task Name", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Schtasks Run Task On Demand", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Short Lived Scheduled Task", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}, {"name": "Windows Hidden Schedule Task Settings", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Windows Possible Credential Dumping", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows Protocol Tunneling with Plink", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Protocol Tunneling"}, {"mitre_attack_technique": "SSH"}]}}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Log4Shell JNDI Payload Injection Attempt", "source": "web", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}]}, {"name": "CISA AA22-264A", "author": "Michael Haag, Splunk", "date": "2022-09-22", "version": 1, "id": "bc7056a5-c3b0-4b83-93ce-5f31739305c8", "description": "Iranian State Actors Conduct Cyber Operations Against the Government of Albania.", "narrative": "The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory to provide information on recent cyber operations against the Government of Albania in July and September. This advisory provides a timeline of activity observed, from initial access to execution of encryption and wiper attacks. Additional information concerning files used by the actors during their exploitation of and cyber attack against the victim organization is provided in Appendices A and B. In September 2022, Iranian cyber actors launched another wave of cyber attacks against the Government of Albania, using similar TTPs and malware as the cyber attacks in July. These were likely done in retaliation for public attribution of the cyber attacks in July and severed diplomatic ties between Albania and Iran.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa22-264a", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-264a-iranian-cyber-actors-conduct-cyber-operations-against-the-government-of-albania.pdf", "https://www.mandiant.com/resources/blog/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against", "https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/"], "tags": {"name": "CISA AA22-264A", "analytic_story": "CISA AA22-264A", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1036.005", "mitre_attack_technique": "Match Legitimate Name or Location", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT32", "APT39", "APT41", "Aoqin Dragon", "BRONZE BUTLER", "BackdoorDiplomacy", "Blue Mockingbird", "Carbanak", "Chimera", "Darkhotel", "Earth Lusca", "FIN13", "FIN7", "Ferocious Kitten", "Fox Kitten", "Gamaredon Group", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Poseidon Group", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "Sowbug", "TA2541", "TEMP.Veles", "TeamTNT", "Transparent Tribe", "Tropic Trooper", "Volt Typhoon", "WIRTE", "Whitefly", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1595", "mitre_attack_technique": "Active Scanning", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1070.001", "mitre_attack_technique": "Clear Windows Event Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "APT38", "APT41", "Chimera", "Dragonfly", "FIN5", "FIN8", "Indrik Spider"]}, {"mitre_attack_id": "T1561.002", "mitre_attack_technique": "Disk Structure Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1561", "mitre_attack_technique": "Disk Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Execution", "Impact", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Attacker Tools On Endpoint - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Exchange PowerShell Module Usage - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows Event Log Cleared - Rule", "ESCU - Windows Possible Credential Dumping - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Windows System File on Disk - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Attacker Tools On Endpoint", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Match Legitimate Name or Location"}, {"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "Active Scanning"}]}}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Excessive Usage Of Taskkill", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Exchange PowerShell Module Usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Event Log Cleared", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}}, {"name": "Windows Possible Credential Dumping", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}}, {"name": "Windows System File on Disk", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}]}, {"name": "CISA AA22-277A", "author": "Michael Haag, Splunk", "date": "2022-10-05", "version": 1, "id": "db408f93-e915-4215-9962-5fada348bdd7", "description": "From November 2021 through January 2022, the Cybersecurity and Infrastructure Security Agency (CISA) responded to advanced persistent threat (APT) activity on a Defense Industrial Base (DIB) Sector organization's enterprise network. During incident response activities, multiple utilities were utilized.", "narrative": "CISA uncovered that likely multiple APT groups compromised the organization's network, and some APT actors had long-term access to the environment. APT actors used an open-source toolkit called Impacket to gain their foothold within the environment and further compromise the network, and also used a custom data exfiltration tool, CovalentStealer, to steal the victim's sensitive data.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa22-277a", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-277a-impacket-and-exfiltration-tool-used-to-steal-sensitive-information-from-defense-industrial-base-organization.pdf"], "tags": {"name": "CISA AA22-277A", "analytic_story": "CISA AA22-277A", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MoustachedBouncer", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1070.005", "mitre_attack_technique": "Network Share Connection Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Threat Group-3390"]}, {"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN13", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1016.001", "mitre_attack_technique": "Internet Connection Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT29", "FIN13", "FIN8", "Gamaredon Group", "HAFNIUM", "HEXANE", "Magic Hound", "TA2541", "Turla"]}], "mitre_attack_tactics": ["Collection", "Command And Control", "Defense Evasion", "Discovery", "Execution", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command And Control", "Exploitation", "Installation"]}, "detection_names": ["ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Create or delete windows shares using net exe - Rule", "ESCU - Detect Renamed WinRAR - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Exchange PowerShell Module Usage - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Network Discovery Using Route Windows App - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}}, {"name": "Create or delete windows shares using net exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Network Share Connection Removal"}]}}, {"name": "Detect Renamed WinRAR", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}}, {"name": "Excessive Usage Of Taskkill", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Exchange PowerShell Module Usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Network Discovery Using Route Windows App", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Internet Connection Discovery"}]}}]}, {"name": "CISA AA22-320A", "author": "Michael Haag, Splunk", "date": "2022-11-16", "version": 1, "id": "c1fca73d-3a8d-49a6-b9c0-1d5d155f7dd4", "description": "CISA and the FBI have identified an APT activity where the adversary gained initial access via Log4Shell via a unpatched VMware Horizon server. From there the adversary moved laterally and continued to its objective.", "narrative": "From mid-June through mid-July 2022, CISA conducted an incident response engagement at a Federal Civilian Executive Branch (FCEB) organization where CISA observed suspected advanced persistent threat (APT) activity. In the course of incident response activities, CISA determined that cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence. CISA and the Federal Bureau of Investigation (FBI) assess that the FCEB network was compromised by Iranian government-sponsored APT actors.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa22-320a", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf"], "tags": {"name": "CISA AA22-320A", "analytic_story": "CISA AA22-320A", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1550.003", "mitre_attack_technique": "Pass the Ticket", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["APT29", "APT32", "BRONZE BUTLER"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1014", "mitre_attack_technique": "Rootkit", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT41", "Rocke", "TeamTNT", "Winnti Group"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1572", "mitre_attack_technique": "Protocol Tunneling", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Chimera", "Cobalt Group", "FIN13", "FIN6", "Fox Kitten", "Leviathan", "Magic Hound", "OilRig"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "MoustachedBouncer", "POLONIUM", "Sandworm Team", "Turla", "Volt Typhoon", "Windigo"]}, {"mitre_attack_id": "T1102", "mitre_attack_technique": "Web Service", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT32", "EXOTIC LILY", "Ember Bear", "FIN6", "FIN8", "Fox Kitten", "Gamaredon Group", "Inception", "LazyScripter", "Mustang Panda", "Rocke", "TeamTNT", "Turla"]}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Defense Evasion", "Discovery", "Execution", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Network_Resolution", "Network_Traffic", "Risk", "Web"], "kill_chain_phases": ["Command And Control", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Suspicious Powershell Command-Line Arguments - Rule", "ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Enable WDigest UseLogonCredential Registry - Rule", "ESCU - GetAdComputer with PowerShell Script Block - Rule", "ESCU - Log4Shell CVE-2021-44228 Exploitation - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Mimikatz PassTheTicket CommandLine Parameters - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Suspicious Driver Loaded Path - Rule", "ESCU - Windows Driver Load Non-Standard Path - Rule", "ESCU - Windows Drivers Loaded by Signature - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Ngrok Reverse Proxy Usage - Rule", "ESCU - Windows Service Create Kernel Mode Driver - Rule", "ESCU - XMRIG Driver Loaded - Rule", "ESCU - Ngrok Reverse Proxy on Network - Rule", "ESCU - Hunting for Log4Shell - Rule", "ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", "ESCU - Log4Shell JNDI Payload Injection with Outbound Connection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Suspicious Powershell Command-Line Arguments", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}]}}, {"name": "Add or Set Windows Defender Exclusion", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Enable WDigest UseLogonCredential Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "GetAdComputer with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Log4Shell CVE-2021-44228 Exploitation", "source": "endpoint", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}}, {"name": "Mimikatz PassTheTicket CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Ticket"}]}}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Suspicious Driver Loaded Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Windows Driver Load Non-Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rootkit"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "Windows Drivers Loaded by Signature", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rootkit"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "Windows Mimikatz Binary Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows Ngrok Reverse Proxy Usage", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Protocol Tunneling"}, {"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Web Service"}]}}, {"name": "Windows Service Create Kernel Mode Driver", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "XMRIG Driver Loaded", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Ngrok Reverse Proxy on Network", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Protocol Tunneling"}, {"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Web Service"}]}}, {"name": "Hunting for Log4Shell", "source": "web", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Log4Shell JNDI Payload Injection Attempt", "source": "web", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Log4Shell JNDI Payload Injection with Outbound Connection", "source": "web", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}]}, {"name": "CISA AA23-347A", "author": "Teoderick Contreras, Rod Soto, Splunk", "date": "2023-12-14", "version": 1, "id": "bca933b5-f9b4-46dc-884a-5afa475392e9", "description": "Leverage searches that allow you to detect and investigate unusual activities that might be related to the  SVR cyber activity tactics and techniques. While SVR followed a similar playbook in each compromise, they also adjusted to each operating environment and not all presented steps or actions below were executed on every host.", "narrative": "SVR cyber operations pose a persistent threat to public and private organizations' networks globally. Since 2013, cybersecurity companies and governments have reported on SVR operations targeting victim networks to steal confidential and proprietary information. A decade later, the authoring agencies can infer a long-term targeting pattern aimed at collecting, and enabling the collection of, foreign intelligence, a broad concept that for Russia encompasses information on the politics, economics, and military of foreign states; science and technology; and foreign counterintelligence. The SVR also conducts cyber operations targeting technology companies that enable future cyber operations. The SVR's recent operation has targeted networks hosting TeamCity servers, further underscoring its persistent focus on technology companies. By leveraging CVE-2023-42793, a vulnerability within a software development program, the SVR seeks to gain access to victims, potentially compromising numerous software developers' networks. JetBrains responded to this threat by issuing a patch in mid-September 2023, limting the SVR's ability to exploit Internet-accessible TeamCity servers lacking the necessary updates. Despite this mitigation, the SVR has yet to utilize its acquired access to software developers' networks for breaching customer systems. It appears that the SVR is still in the preparatory stages of its operation.", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a"], "tags": {"name": "CISA AA23-347A", "analytic_story": "CISA AA23-347A", "category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MoustachedBouncer", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1070.001", "mitre_attack_technique": "Clear Windows Event Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "APT38", "APT41", "Chimera", "Dragonfly", "FIN5", "FIN8", "Indrik Spider"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1558.004", "mitre_attack_technique": "AS-REP Roasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1562.006", "mitre_attack_technique": "Indicator Blocking", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}, {"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1550.003", "mitre_attack_technique": "Pass the Ticket", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["APT29", "APT32", "BRONZE BUTLER"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1134.002", "mitre_attack_technique": "Create Process with Token", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Lazarus Group", "Turla"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "Volt Typhoon", "ZIRCONIUM"]}, {"mitre_attack_id": "T1562.002", "mitre_attack_technique": "Disable Windows Event Logging", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound", "Threat Group-3390"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1505.004", "mitre_attack_technique": "IIS Components", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1003.004", "mitre_attack_technique": "LSA Secrets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT33", "Dragonfly", "Ke3chang", "Leafminer", "MuddyWater", "OilRig", "Threat Group-3390", "menuPass"]}, {"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1057", "mitre_attack_technique": "Process Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT37", "APT38", "Andariel", "Chimera", "Darkhotel", "Deep Panda", "Earth Lusca", "Gamaredon Group", "HAFNIUM", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Rocke", "Sidewinder", "Stealth Falcon", "TeamTNT", "Tropic Trooper", "Turla", "Volt Typhoon", "Windshift", "Winnti Group"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}], "mitre_attack_tactics": ["Collection", "Credential Access", "Defense Evasion", "Discovery", "Execution", "Impact", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Risk", "Web"], "kill_chain_phases": ["Actions on Objectives", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Access LSASS Memory for Dump Creation - Rule", "ESCU - AdsiSearcher Account Discovery - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Detect Credential Dumping through LSASS access - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - Disable AMSI Through Registry - Rule", "ESCU - Disable Defender BlockAtFirstSeen Feature - Rule", "ESCU - Disable Defender Enhanced Notification - Rule", "ESCU - Disable Defender Spynet Reporting - Rule", "ESCU - Disable Defender Submit Samples Consent Feature - Rule", "ESCU - Disable ETW Through Registry - Rule", "ESCU - Disable Logs Using WevtUtil - Rule", "ESCU - Disable Security Logs Using MiniNt Registry - Rule", "ESCU - Disable UAC Remote Restriction - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Disable Windows SmartScreen Protection - Rule", "ESCU - Disabled Kerberos Pre-Authentication Discovery With Get-ADUser - Rule", "ESCU - Disabling FolderOptions Windows Feature - Rule", "ESCU - Domain Controller Discovery with Nltest - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Extraction of Registry Hives - Rule", "ESCU - Get ADUser with PowerShell - Rule", "ESCU - Get ADUser with PowerShell Script Block - Rule", "ESCU - Get ADUserResultantPasswordPolicy with Powershell - Rule", "ESCU - Get ADUserResultantPasswordPolicy with Powershell Script Block - Rule", "ESCU - Get DomainUser with PowerShell - Rule", "ESCU - Get DomainUser with PowerShell Script Block - Rule", "ESCU - Mimikatz PassTheTicket CommandLine Parameters - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - PowerShell Domain Enumeration - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Remote Process Instantiation via WMI - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Rubeus Command Line Parameters - Rule", "ESCU - Rubeus Kerberos Ticket Exports Through Winlogon Access - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Services Escalate Exe - Rule", "ESCU - Services LOLBAS Execution Process Spawn - Rule", "ESCU - Short Lived Scheduled Task - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Suspicious wevtutil Usage - Rule", "ESCU - System User Discovery With Whoami - Rule", "ESCU - Unload Sysmon Filter Driver - Rule", "ESCU - Windows Access Token Manipulation SeDebugPrivilege - Rule", "ESCU - Windows Account Discovery for None Disable User Account - Rule", "ESCU - Windows Account Discovery for Sam Account Name - Rule", "ESCU - Windows Account Discovery With NetUser PreauthNotRequire - Rule", "ESCU - Windows Archive Collected Data via Powershell - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows Credentials from Password Stores Chrome Extension Access - Rule", "ESCU - Windows Disable Notification Center - Rule", "ESCU - Windows Disable Windows Event Logging Disable HTTP Logging - Rule", "ESCU - Windows Disable Windows Group Policy Features Through Registry - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows DISM Remove Defender - Rule", "ESCU - Windows Domain Account Discovery Via Get-NetComputer - Rule", "ESCU - Windows Excessive Disabled Services Event - Rule", "ESCU - Windows Hunting System Account Targeting Lsass - Rule", "ESCU - Windows Impair Defenses Disable Win Defender Auto Logging - Rule", "ESCU - Windows Known GraphicalProton Loaded Modules - Rule", "ESCU - Windows LSA Secrets NoLMhash Registry - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Mimikatz Crypto Export File Extensions - Rule", "ESCU - Windows Modify Registry Disable Restricted Admin - Rule", "ESCU - Windows Modify Registry Disable Win Defender Raw Write Notif - Rule", "ESCU - Windows Modify Registry Disable WinDefender Notifications - Rule", "ESCU - Windows Modify Registry Disable Windows Security Center Notif - Rule", "ESCU - Windows Modify Registry DisableSecuritySettings - Rule", "ESCU - Windows Modify Registry Disabling WER Settings - Rule", "ESCU - Windows Modify Registry No Auto Update - Rule", "ESCU - Windows Modify Registry Suppress Win Defender Notif - Rule", "ESCU - Windows Non-System Account Targeting Lsass - Rule", "ESCU - Windows Possible Credential Dumping - Rule", "ESCU - Windows PowerView Constrained Delegation Discovery - Rule", "ESCU - Windows PowerView SPN Discovery - Rule", "ESCU - Windows PowerView Unconstrained Delegation Discovery - Rule", "ESCU - Windows Process Commandline Discovery - Rule", "ESCU - Windows Query Registry Reg Save - Rule", "ESCU - Windows Remote Create Service - Rule", "ESCU - Windows Scheduled Task Created Via XML - Rule", "ESCU - Windows Scheduled Task with Highest Privileges - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows Service Creation on Remote Endpoint - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - Windows Service Initiation on Remote Endpoint - Rule", "ESCU - Windows Service Stop Win Updates - Rule", "ESCU - Windows System User Privilege Discovery - Rule", "ESCU - Windows WMI Process Call Create - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinRM Spawning a Process - Rule", "ESCU - JetBrains TeamCity RCE Attempt - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto, Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Access LSASS Memory for Dump Creation", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "AdsiSearcher Account Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Attempted Credential Dump From Registry via Reg exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}}, {"name": "Detect Credential Dumping through LSASS access", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Disable AMSI Through Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender BlockAtFirstSeen Feature", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender Enhanced Notification", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender Spynet Reporting", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender Submit Samples Consent Feature", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable ETW Through Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Logs Using WevtUtil", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}}, {"name": "Disable Security Logs Using MiniNt Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Disable UAC Remote Restriction", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Windows SmartScreen Protection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disabled Kerberos Pre-Authentication Discovery With Get-ADUser", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "AS-REP Roasting"}]}}, {"name": "Disabling FolderOptions Windows Feature", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Domain Controller Discovery with Nltest", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "ETW Registry Disabled", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Blocking"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Extraction of Registry Hives", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Get ADUser with PowerShell", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Get ADUser with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Get ADUserResultantPasswordPolicy with Powershell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Policy Discovery"}]}}, {"name": "Get ADUserResultantPasswordPolicy with Powershell Script Block", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Policy Discovery"}]}}, {"name": "Get DomainUser with PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Get DomainUser with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Mimikatz PassTheTicket CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Ticket"}]}}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "PowerShell Domain Enumeration", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Remote Process Instantiation via WMI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Remote WMI Command Attempt", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Rubeus Command Line Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Ticket"}, {"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}, {"mitre_attack_technique": "AS-REP Roasting"}]}}, {"name": "Rubeus Kerberos Ticket Exports Through Winlogon Access", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Ticket"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Services Escalate Exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Services LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Short Lived Scheduled Task", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Suspicious wevtutil Usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Clear Windows Event Logs"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "System User Discovery With Whoami", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Owner/User Discovery"}]}}, {"name": "Unload Sysmon Filter Driver", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Access Token Manipulation SeDebugPrivilege", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create Process with Token"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}, {"name": "Windows Account Discovery for None Disable User Account", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Windows Account Discovery for Sam Account Name", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Windows Account Discovery With NetUser PreauthNotRequire", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Windows Archive Collected Data via Powershell", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Archive Collected Data"}]}}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "System Network Connections Discovery"}, {"mitre_attack_technique": "System Owner/User Discovery"}, {"mitre_attack_technique": "System Shutdown/Reboot"}, {"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows Credentials from Password Stores Chrome Extension Access", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows Disable Notification Center", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Disable Windows Event Logging Disable HTTP Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable Windows Event Logging"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}}, {"name": "Windows Disable Windows Group Policy Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows DISM Remove Defender", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Domain Account Discovery Via Get-NetComputer", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Account"}]}}, {"name": "Windows Excessive Disabled Services Event", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Hunting System Account Targeting Lsass", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows Impair Defenses Disable Win Defender Auto Logging", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Known GraphicalProton Loaded Modules", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Windows LSA Secrets NoLMhash Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSA Secrets"}]}}, {"name": "Windows Mimikatz Binary Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows Mimikatz Crypto Export File Extensions", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}}, {"name": "Windows Modify Registry Disable Restricted Admin", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry Disable Win Defender Raw Write Notif", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry Disable WinDefender Notifications", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry Disable Windows Security Center Notif", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry DisableSecuritySettings", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry Disabling WER Settings", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry No Auto Update", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry Suppress Win Defender Notif", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Non-System Account Targeting Lsass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows Possible Credential Dumping", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows PowerView Constrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Windows PowerView SPN Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "Windows PowerView Unconstrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Windows Process Commandline Discovery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Discovery"}]}}, {"name": "Windows Query Registry Reg Save", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows Remote Create Service", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Windows Scheduled Task Created Via XML", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Windows Scheduled Task with Highest Privileges", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Windows Service Creation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}]}}, {"name": "Windows Service Initiation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Windows Service Stop Win Updates", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Windows System User Privilege Discovery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Owner/User Discovery"}]}}, {"name": "Windows WMI Process Call Create", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinRM Spawning a Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}, {"name": "JetBrains TeamCity RCE Attempt", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}]}, {"name": "Cisco IOS XE Software Web Management User Interface vulnerability", "author": "Michael Haag, Splunk", "date": "2023-10-17", "version": 1, "id": "b5394b6a-b774-4bb6-a2bc-98f98cf7be88", "description": "Cisco has identified active exploitation of a previously unknown vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software (CVE-2023-20198) when exposed to the internet or untrusted networks. Successful exploitation of this vulnerability allows an attacker to create an account on the affected device with privilege level 15 access, effectively granting them full control of the compromised device and allowing possible subsequent unauthorized activity.", "narrative": "Cisco discovered early evidence of potentially malicious activity on September 28, 2023, when a case was opened with Cisco's Technical Assistance Center (TAC) that identified unusual behavior on a customer device. Upon further investigation, they observed what they have determined to be related activity as early as September 18. The activity included an authorized user creating a local user account under the username cisco_tac_admin from a suspicious IP address. On October 12, Cisco Talos Incident Response (Talos IR) and TAC detected what they later determined to be an additional cluster of related activity that began on that same day. In this cluster, an unauthorized user was observed creating a local user account under the name cisco_support from a second suspicious IP address. Unlike the September case, this October activity included several subsequent actions, including the deployment of an implant consisting of a configuration file (cisco_service.conf). The configuration file defines the new web server endpoint (URI path) used to interact with the implant. That endpoint receives certain parameters, described in more detail below, that allows the actor to execute arbitrary commands at the system level or IOS level. For the implant to become active, the web server must be restarted; in at least one observed case the server was not restarted so the implant never became active despite being installed.", "references": ["https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/"], "tags": {"name": "Cisco IOS XE Software Web Management User Interface vulnerability", "analytic_story": "Cisco IOS XE Software Web Management User Interface vulnerability", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - Cisco IOS XE Implant Access - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Cisco IOS XE Implant Access", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}]}, {"name": "Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966", "author": "Michael Haag, Splunk", "date": "2023-10-24", "version": 1, "id": "b194d644-4095-431a-bee0-a8e6ec067414", "description": "A critical security update, CVE-2023-4966, has been released for NetScaler ADC and NetScaler Gateway. This vulnerability, discovered by our internal team, can result in unauthorized data disclosure if exploited. Reports of incidents consistent with session hijacking have been received. The Cybersecurity and Infrastructure Security Agency (CISA) has added an entry for CVE-2023-4966 to its Known Exploited and Vulnerabilities Catalog. No workarounds are available for this vulnerability, and immediate installation of the recommended builds is strongly advised.", "narrative": "On October 10, 2023, Cloud Software Group released builds to fix CVE-2023-4966, a vulnerability affecting NetScaler ADC and NetScaler Gateway. This vulnerability, if exploited, can lead to unauthorized data disclosure and possibly session hijacking. Although there were no known exploits at the time of disclosure, we have since received credible reports of targeted attacks exploiting this vulnerability. The Cybersecurity and Infrastructure Security Agency (CISA) has added an entry for CVE-2023-4966 to its Known Exploited and Vulnerabilities Catalog, which contains detection and mitigation guidance for observed exploitations of CVE-2023-4966 by threat actors against NetScaler ADC and NetScaler Gateway. We strongly recommend that users of affected builds immediately install the recommended builds, as this vulnerability has been identified as critical. No workarounds are available for this vulnerability.", "references": ["https://www.netscaler.com/blog/news/cve-2023-4966-critical-security-update-now-available-for-netscaler-adc-and-netscaler-gateway/", "https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967", "https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966", "https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966", "https://github.com/projectdiscovery/nuclei-templates/blob/b815d23b908de52996060163091395d1c89fbeea/http/cves/2023/CVE-2023-4966.yaml"], "tags": {"name": "Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966", "analytic_story": "Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - Citrix ADC and Gateway Unauthorized Data Disclosure - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Citrix ADC and Gateway Unauthorized Data Disclosure", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}]}, {"name": "Citrix Netscaler ADC CVE-2023-3519", "author": "Michael Haag, Splunk", "date": "2023-07-20", "version": 1, "id": "094df1fe-4345-4c01-8a0f-c65cf7b758bd", "description": "The CVE-2023-3519 vulnerability in NetScaler (formerly Citrix) Application Delivery Controller (ADC) and NetScaler Gateway has been exploited by threat actors, as detailed in a recent advisory. The unauthenticated remote code execution vulnerability was utilized as a zero-day to establish a webshell on a non-production environment NetScaler ADC appliance within a critical infrastructure organization. This facilitated the execution of discovery on the victim's active directory and the collection and exfiltration of data. The advisory offers a comprehensive examination of the threat actors' tactics, techniques, and procedures (TTPs), alongside recommended detection methods and incident response guidelines. Immediate patch application from Citrix and the use of the detection guidance in the advisory is strongly recommended for critical infrastructure organizations to mitigate system compromises.", "narrative": "Recent advisories have highlighted the exploitation of CVE-2023-3519, a critical vulnerability in Citrix's NetScaler Application Delivery Controller (ADC) and NetScaler Gateway. In June 2023, threat actors utilized this vulnerability to implant a webshell on a NetScaler ADC appliance within a critical infrastructure organization's non-production environment. This action granted them the ability to perform active directory discovery, data collection, and exfiltration. Notably, attempts for lateral movement to a domain controller were obstructed by network-segmentation controls. \\\nThe compromised organization reported the breach, leading Citrix to issue a patch on July 18, 2023. Multiple advisories have since outlined the threat actors' tactics, techniques, and procedures (TTPs), including their initial access, persistence, privilege escalation, defense evasion, credential access, discovery, collection, command and control, and impact. These advisories also provide detection methods and recommend incident response measures. \\\nThe threat actors executed several activities during their attack, such as uploading a TGZ file with a generic webshell, discovery script, and setuid binary on the ADC appliance; conducting SMB scanning on the subnet; using the webshell for active directory enumeration and data exfiltration; and accessing NetScaler configuration files and decryption keys. They also decrypted an active directory credential, queried the active directory for various information, encrypted collected data, exfiltrated it as an image file, and attempted to erase their artifacts. Despite these actions, further discovery and lateral movement were impeded due to the organization's network-segmentation controls. \\\nAdvisories suggest conducting specific checks on the ADC shell interface to detect signs of compromise. If a compromise is detected, organizations should isolate potentially affected hosts, reimage compromised hosts, provide new account credentials, collect and review artifacts, and report the compromise. To mitigate the threat, organizations are advised to promptly install the relevant updates for NetScaler ADC and NetScaler Gateway, adhere to cybersecurity best practices, and apply robust network-segmentation controls on NetScaler appliances and other internet-facing devices. \\", "references": ["https://attackerkb.com/topics/si09VNJhHh/cve-2023-3519", "https://www.cisa.gov/sites/default/files/2023-07/aa23-201a_csa_threat_actors_exploiting_citrix-cve-2023-3519_to_implant_webshells.pdf", "https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467"], "tags": {"name": "Citrix Netscaler ADC CVE-2023-3519", "analytic_story": "Citrix Netscaler ADC CVE-2023-3519", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - Citrix ADC Exploitation CVE-2023-3519 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Citrix ADC Exploitation CVE-2023-3519", "source": "web", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}]}, {"name": "Citrix ShareFile RCE CVE-2023-24489", "author": "Michael Haag, Splunk", "date": "2023-07-26", "version": 1, "id": "10c7e01a-5743-4995-99df-a66f6b5db653", "description": "A critical vulnerability has been discovered in ShareFile's Storage Zones Controller software (CVE-2023-24489), used by numerous organizations for file sharing and storage. The vulnerability allows unauthenticated arbitrary file upload and remote code execution due to a cryptographic bug in the software's encryption but lack of authentication system. The risk comes from a failing encryption check, allowing potential cybercriminals to upload malicious files to the server. The bug was found in the Documentum Connector's .aspx files. The security risk has a potentially large impact due to the software's wide use and the sensitivity of the stored data. Citrix has released a security update to address this issue.", "narrative": "The ShareFile Storage Zones Controller is a .NET web application running under IIS, which manages the storage of files in ShareFile's system. It was discovered that this software has a critical vulnerability (CVE-2023-24489) in the file upload functionality provided by the Documentum Connector's .aspx files. Specifically, the security flaw lies in the encryption check in the file upload process which could be bypassed, allowing for unauthenticated arbitrary file uploads and remote code execution. \\\nThe application sets the current principal from a session cookie, but if this is missing, the application continues without authentication. The application uses AES encryption, with CBC mode and PKCS#7 padding. A decryption check is in place which returns an error if the decryption fails, but this can be bypassed by supplying a ciphertext that results in valid padding after decryption, thereby not causing an exception. \\\nThe Documentum Connector's upload.aspx file, when uploading a file, calls the ProcessRawPostedFile function, which allows a path traversal due to improper sanitization of the 'uploadId' parameter. It allows the 'filename' and 'uploadId' parameters to be concatenated, and while the 'filename' parameter is sanitized, the 'uploadId' is not. The 'parentid' parameter is passed in but is also not used. \\\nThe vulnerability enables an attacker to upload a webshell or any other malicious file, by providing a properly padded encrypted string for the 'parentid' parameter, and specifying the path for the 'uploadId' and the name for the 'filename'. An attacker can achieve remote code execution by requesting the uploaded file. The issue was addressed by Citrix in a recent security update.", "references": ["https://www.greynoise.io/blog/introducing-cve-2023-24489-a-critical-citrix-sharefile-rce-vulnerability", "https://blog.assetnote.io/2023/07/04/citrix-sharefile-rce/"], "tags": {"name": "Citrix ShareFile RCE CVE-2023-24489", "analytic_story": "Citrix ShareFile RCE CVE-2023-24489", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}], "mitre_attack_tactics": ["Initial Access", "Persistence"], "datamodels": ["Endpoint", "Web"], "kill_chain_phases": ["Delivery", "Installation"]}, "detection_names": ["ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Citrix ShareFile Exploitation CVE-2023-24489 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}, {"name": "Citrix ShareFile Exploitation CVE-2023-24489", "source": "web", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}]}, {"name": "Cloud Cryptomining", "author": "David Dorsey, Splunk", "date": "2019-10-02", "version": 1, "id": "3b96d13c-fdc7-45dd-b3ad-c132b31cdd2a", "description": "Monitor your cloud compute instances for activities related to cryptojacking/cryptomining. New instances that originate from previously unseen regions, users who launch abnormally high numbers of instances, or compute instances started by previously unseen users are just a few examples of potentially malicious behavior.", "narrative": "Cryptomining is an intentionally difficult, resource-intensive business. Its complexity was designed into the process to ensure that the number of blocks mined each day would remain steady. So, it's par for the course that ambitious, but unscrupulous, miners make amassing the computing power of large enterprises--a practice known as cryptojacking--a top priority. \\\nCryptojacking has attracted an increasing amount of media attention since its explosion in popularity in the fall of 2017. The attacks have moved from in-browser exploits and mobile phones to enterprise cloud services, such as Amazon Web Services (AWS), Google Cloud Platform (GCP), and Azure. It's difficult to determine exactly how widespread the practice has become, since bad actors continually evolve their ability to escape detection, including employing unlisted endpoints, moderating their CPU usage, and hiding the mining pool's IP address behind a free CDN. \\\nWhen malicious miners appropriate a cloud instance, often spinning up hundreds of new instances, the costs can become astronomical for the account holder. So it is critically important to monitor your systems for suspicious activities that could indicate that your network has been infiltrated. \\\nThis Analytic Story is focused on detecting suspicious new instances in your cloud environment to help prevent cryptominers from gaining a foothold. It contains detection searches that will detect when a previously unused instance type or AMI is used. It also contains support searches to build lookup files to ensure proper execution of the detection searches.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "tags": {"name": "Cloud Cryptomining", "analytic_story": "Cloud Cryptomining", "category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Change"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Abnormally High Number Of Cloud Instances Launched - Rule", "ESCU - Cloud Compute Instance Created By Previously Unseen User - Rule", "ESCU - Cloud Compute Instance Created In Previously Unused Region - Rule", "ESCU - Cloud Compute Instance Created With Previously Unseen Image - Rule", "ESCU - Cloud Compute Instance Created With Previously Unseen Instance Type - Rule"], "investigation_names": ["ESCU - AWS Investigate Security Hub alerts by dest - Response Task", "ESCU - AWS Investigate User Activities By ARN - Response Task", "ESCU - Get EC2 Instance Details by instanceId - Response Task", "ESCU - Get EC2 Launch Details - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Investigate AWS activities via region name - Response Task"], "baseline_names": ["ESCU - Baseline Of Cloud Instances Destroyed", "ESCU - Baseline Of Cloud Instances Launched", "ESCU - Previously Seen Cloud Compute Creations By User - Initial", "ESCU - Previously Seen Cloud Compute Creations By User - Update", "ESCU - Previously Seen Cloud Compute Images - Initial", "ESCU - Previously Seen Cloud Compute Images - Update", "ESCU - Previously Seen Cloud Compute Instance Types - Initial", "ESCU - Previously Seen Cloud Compute Instance Types - Update", "ESCU - Previously Seen Cloud Regions - Initial", "ESCU - Previously Seen Cloud Regions - Update"], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Abnormally High Number Of Cloud Instances Launched", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Cloud Compute Instance Created By Previously Unseen User", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Cloud Compute Instance Created In Previously Unused Region", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "Cloud Compute Instance Created With Previously Unseen Image", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Cloud Compute Instance Created With Previously Unseen Instance Type", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "Cloud Federated Credential Abuse", "author": "Rod Soto, Splunk", "date": "2021-01-26", "version": 1, "id": "cecdc1e7-0af2-4a55-8967-b9ea62c0317d", "description": "This analytical story addresses events that indicate abuse of cloud federated credentials. These credentials are usually extracted from endpoint desktop or servers specially those servers that provide federation services such as Windows Active Directory Federation Services. Identity Federation relies on objects such as Oauth2 tokens, cookies or SAML assertions in order to provide seamless access between cloud and perimeter environments. If these objects are either hijacked or forged then attackers will be able to pivot into victim's cloud environements.", "narrative": "This story is composed of detection searches based on endpoint that addresses the use of Mimikatz, Escalation of Privileges and Abnormal processes that may indicate the extraction of Federated directory objects such as passwords, Oauth2 tokens, certificates and keys. Cloud environment (AWS, Azure) related events are also addressed in specific cloud environment detection searches.", "references": ["https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://us-cert.cisa.gov/ncas/alerts/aa21-008a"], "tags": {"name": "Cloud Federated Credential Abuse", "analytic_story": "Cloud Federated Credential Abuse", "category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1546.012", "mitre_attack_technique": "Image File Execution Options Injection", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["TEMP.Veles"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - AWS SAML Access by Provider User and Principal - Rule", "ESCU - AWS SAML Update identity provider - Rule", "ESCU - O365 Add App Role Assignment Grant User - Rule", "ESCU - O365 Added Service Principal - Rule", "ESCU - O365 Excessive SSO logon errors - Rule", "ESCU - O365 New Federated Domain Added - Rule", "ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Detect Mimikatz Via PowerShell And EventCode 4703 - Rule", "ESCU - Certutil exe certificate extraction - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Rod Soto", "detections": [{"name": "AWS SAML Access by Provider User and Principal", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "AWS SAML Update identity provider", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "O365 Add App Role Assignment Grant User", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "O365 Added Service Principal", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "O365 Excessive SSO logon errors", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Authentication Process"}]}}, {"name": "O365 New Federated Domain Added", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Detect Mimikatz Via PowerShell And EventCode 4703", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}]}}, {"name": "Certutil exe certificate extraction", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "Registry Keys Used For Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Image File Execution Options Injection"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}]}, {"name": "Cobalt Strike", "author": "Michael Haag, Splunk", "date": "2021-02-16", "version": 1, "id": "bcfd17e8-5461-400a-80a2-3b7d1459220c", "description": "Cobalt Strike is threat emulation software. Red teams and penetration testers use Cobalt Strike to demonstrate the risk of a breach and evaluate mature security programs. Most recently, Cobalt Strike has become the choice tool by threat groups due to its ease of use and extensibility.", "narrative": "This Analytic Story supports you to detect Tactics, Techniques and Procedures (TTPs) from Cobalt Strike. Cobalt Strike has many ways to be enhanced by using aggressor scripts, malleable C2 profiles, default attack packages, and much more. For endpoint behavior, Cobalt Strike is most commonly identified via named pipes, spawn to processes, and DLL function names. Many additional variables are provided for in memory operation of the beacon implant. On the network, depending on the malleable C2 profile used, it is near infinite in the amount of ways to conceal the C2 traffic with Cobalt Strike. Not every query may be specific to Cobalt Strike the tool, but the methodologies and techniques used by it.\\\nSplunk Threat Research reviewed all publicly available instances of Malleabe C2 Profiles and generated a list of the most commonly used spawnto and pipenames.\\\n`Spawnto_x86` and `spawnto_x64` is the process that Cobalt Strike will spawn and injects shellcode into.\\\nPipename sets the named pipe name used in Cobalt Strikes Beacon SMB C2 traffic.\\\nWith that, new detections were generated focused on these spawnto processes spawning without command line arguments. Similar, the named pipes most commonly used by Cobalt Strike added as a detection. In generating content for Cobalt Strike, the following is considered:\\\n- Is it normal for spawnto_ value to have no command line arguments? No command line arguments and a network connection?\\\n- What is the default, or normal, process lineage for spawnto_ value?\\\n- Does the spawnto_ value make network connections?\\\n- Is it normal for spawnto_ value to load jscript, vbscript, Amsi.dll, and clr.dll?\\\nWhile investigating a detection related to this Analytic Story, keep in mind the parent process, process path, and any file modifications that may occur. Tuning may need to occur to remove any false positives.", "references": ["https://www.cobaltstrike.com/", "https://www.infocyte.com/blog/2020/09/02/cobalt-strike-the-new-favorite-among-thieves/", "https://bluescreenofjeff.com/2017-01-24-how-to-write-malleable-c2-profiles-for-cobalt-strike/", "https://blog.talosintelligence.com/2020/09/coverage-strikes-back-cobalt-strike-paper.html", "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html", "https://github.com/MichaelKoczwara/Awesome-CobaltStrike-Defence", "https://github.com/zer0yu/Awesome-CobaltStrike"], "tags": {"name": "Cobalt Strike", "analytic_story": "Cobalt Strike", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN13", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1127.001", "mitre_attack_technique": "MSBuild", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Collection", "Defense Evasion", "Execution", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Anomalous usage of 7zip - Rule", "ESCU - CMD Echo Pipe - Escalation - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Detect Regsvr32 Application Control Bypass - Rule", "ESCU - DLLHost with no Command Line Arguments with Network - Rule", "ESCU - GPUpdate with no Command Line Arguments with Network - Rule", "ESCU - Rundll32 with no Command Line Arguments with Network - Rule", "ESCU - SearchProtocolHost with no Command Line with Network - Rule", "ESCU - Services Escalate Exe - Rule", "ESCU - Suspicious DLLHost no Command Line Arguments - Rule", "ESCU - Suspicious GPUpdate no Command Line Arguments - Rule", "ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", "ESCU - Suspicious Rundll32 StartW - Rule", "ESCU - Suspicious SearchProtocolHost no Command Line Arguments - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Anomalous usage of 7zip", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}}, {"name": "CMD Echo Pipe - Escalation", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Cobalt Strike Named Pipes", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Detect Regsvr32 Application Control Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "DLLHost with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "GPUpdate with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Rundll32 with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "SearchProtocolHost with no Command Line with Network", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Services Escalate Exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Suspicious DLLHost no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Suspicious GPUpdate no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Suspicious microsoft workflow compiler rename", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Suspicious msbuild path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}}, {"name": "Suspicious MSBuild Rename", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}}, {"name": "Suspicious Rundll32 no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Suspicious Rundll32 StartW", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Suspicious SearchProtocolHost no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}]}, {"name": "ColdRoot MacOS RAT", "author": "Jose Hernandez, Splunk", "date": "2019-01-09", "version": 1, "id": "bd91a2bc-d20b-4f44-a982-1bea98e86390", "description": "Leverage searches that allow you to detect and investigate unusual activities that relate to the ColdRoot Remote Access Trojan that affects MacOS. An example of some of these activities are changing sensative binaries in the MacOS sub-system, detecting process names and executables associated with the RAT, detecting when a keyboard tab is installed on a MacOS machine and more.", "narrative": "Conventional wisdom holds that Apple's MacOS operating system is significantly less vulnerable to attack than Windows machines. While that point is debatable, it is true that attacks against MacOS systems are much less common. However, this fact does not mean that Macs are impervious to breaches. To the contrary, research has shown that that Mac malware is increasing at an alarming rate. According to AV-test, in 2018, there were 86,865 new MacOS malware variants, up from 27,338 the year before&#151;a 31% increase. In contrast, the independent research firm found that new Windows malware had increased from 65.17M to 76.86M during that same period, less than half the rate of growth. The bottom line is that while the numbers look a lot smaller than Windows, it's definitely time to take Mac security more seriously.\\\nThis Analytic Story addresses the ColdRoot remote access trojan (RAT), which was uploaded to Github in 2016, but was still escaping detection by the first quarter of 2018, when a new, more feature-rich variant was discovered masquerading as an Apple audio driver. Among other capabilities, the Pascal-based ColdRoot can heist passwords from users' keychains and remotely control infected machines without detection. In the initial report of his findings, Patrick Wardle, Chief Research Officer for Digita Security, explained that the new ColdRoot RAT could start and kill processes on the breached system, spawn new remote-desktop sessions, take screen captures and assemble them into a live stream of the victim's desktop, and more.\\\nSearches in this Analytic Story leverage the capabilities of OSquery to address ColdRoot detection from several different angles, such as looking for the existence of associated files and processes, and monitoring for signs of an installed keylogger.", "references": ["https://www.intego.com/mac-security-blog/osxcoldroot-and-the-rat-invasion/", "https://objective-see.com/blog/blog_0x2A.html", "https://www.bleepingcomputer.com/news/security/coldroot-rat-still-undetectable-despite-being-uploaded-on-github-two-years-ago/"], "tags": {"name": "ColdRoot MacOS RAT", "analytic_story": "ColdRoot MacOS RAT", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Osquery pack - ColdRoot detection - Rule", "ESCU - MacOS - Re-opened Applications - Rule", "ESCU - Processes Tapping Keyboard Events - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Investigate Network Traffic From src ip - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Jose Hernandez", "detections": [{"name": "Osquery pack - ColdRoot detection", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "MacOS - Re-opened Applications", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "Processes Tapping Keyboard Events", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "Collection and Staging", "author": "Rico Valdez, Splunk", "date": "2020-02-03", "version": 1, "id": "8e03c61e-13c4-4dcd-bfbe-5ce5a8dc031a", "description": "Monitor for and investigate activities--such as suspicious writes to the Windows Recycling Bin or email servers sending high amounts of traffic to specific hosts, for example--that may indicate that an adversary is harvesting and exfiltrating sensitive data. ", "narrative": "A common adversary goal is to identify and exfiltrate data of value from a target organization. This data may include email conversations and addresses, confidential company information, links to network design/infrastructure, important dates, and so on.\\\n Attacks are composed of three activities: identification, collection, and staging data for exfiltration. Identification typically involves scanning systems and observing user activity. Collection can involve the transfer of large amounts of data from various repositories. Staging/preparation includes moving data to a central location and compressing (and optionally encoding and/or encrypting) it. All of these activities provide opportunities for defenders to identify their presence. \\\nUse the searches to detect and monitor suspicious behavior related to these activities.", "references": ["https://attack.mitre.org/wiki/Collection", "https://attack.mitre.org/wiki/Technique/T1074"], "tags": {"name": "Collection and Staging", "analytic_story": "Collection and Staging", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}, {"mitre_attack_id": "T1114.001", "mitre_attack_technique": "Local Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "Chimera", "Magic Hound"]}, {"mitre_attack_id": "T1114.002", "mitre_attack_technique": "Remote Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "Chimera", "Dragonfly", "FIN4", "HAFNIUM", "Ke3chang", "Kimsuky", "Leafminer", "Magic Hound"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN13", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}], "mitre_attack_tactics": ["Collection", "Defense Evasion"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Email files written outside of the Outlook directory - Rule", "ESCU - Email servers sending high volume traffic to hosts - Rule", "ESCU - Suspicious writes to System Volume Information - Rule", "ESCU - Detect Renamed 7-Zip - Rule", "ESCU - Detect Renamed WinRAR - Rule", "ESCU - Suspicious writes to windows Recycle Bin - Rule", "ESCU - Hosts receiving high volume of network traffic from email server - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Email files written outside of the Outlook directory", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Email Collection"}, {"mitre_attack_technique": "Local Email Collection"}]}}, {"name": "Email servers sending high volume traffic to hosts", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Email Collection"}, {"mitre_attack_technique": "Remote Email Collection"}]}}, {"name": "Suspicious writes to System Volume Information", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Detect Renamed 7-Zip", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}}, {"name": "Detect Renamed WinRAR", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}}, {"name": "Suspicious writes to windows Recycle Bin", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Hosts receiving high volume of network traffic from email server", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Email Collection"}, {"mitre_attack_technique": "Email Collection"}]}}]}, {"name": "Command And Control", "author": "Rico Valdez, Splunk", "date": "2018-06-01", "version": 1, "id": "943773c6-c4de-4f38-89a8-0b92f98804d8", "description": "Detect and investigate tactics, techniques, and procedures leveraged by attackers to establish and operate Command And Control channels. Implants installed by attackers on compromised endpoints use these channels to receive instructions and send data back to the malicious operators.", "narrative": "Threat actors typically architect and implement an infrastructure to use in various ways during the course of their attack campaigns. In some cases, they leverage this infrastructure for scanning and performing reconnaissance activities. In others, they may use this infrastructure to launch actual attacks. One of the most important functions of this infrastructure is to establish servers that will communicate with implants on compromised endpoints. These servers establish a command and control channel that is used to proxy data between the compromised endpoint and the attacker. These channels relay commands from the attacker to the compromised endpoint and the output of those commands back to the attacker.\\\nBecause this communication is so critical for an adversary, they often use techniques designed to hide the true nature of the communications. There are many different techniques used to establish and communicate over these channels. This Analytic Story provides searches that look for a variety of the techniques used for these channels, as well as indications that these channels are active, by examining logs associated with border control devices and network-access control lists.", "references": ["https://attack.mitre.org/wiki/Command_and_Control", "https://searchsecurity.techtarget.com/feature/Command-and-control-servers-The-puppet-masters-that-govern-malware"], "tags": {"name": "Command And Control", "analytic_story": "Command And Control", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1071.004", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT39", "APT41", "Chimera", "Cobalt Group", "FIN7", "Ke3chang", "LazyScripter", "OilRig", "Tropic Trooper"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1219", "mitre_attack_technique": "Remote Access Software", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Carbanak", "Cobalt Group", "DarkVishnya", "Evilnum", "FIN7", "GOLD SOUTHFIELD", "Kimsuky", "MuddyWater", "Mustang Panda", "RTM", "Sandworm Team", "TeamTNT", "Thrip"]}, {"mitre_attack_id": "T1568.002", "mitre_attack_technique": "Domain Generation Algorithms", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "TA551"]}, {"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}, {"mitre_attack_id": "T1095", "mitre_attack_technique": "Non-Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT3", "BITTER", "BackdoorDiplomacy", "FIN6", "HAFNIUM", "Metador", "PLATINUM"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Magic Hound", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "MoustachedBouncer", "POLONIUM", "Sandworm Team", "Turla", "Volt Typhoon", "Windigo"]}, {"mitre_attack_id": "T1090.003", "mitre_attack_technique": "Multi-hop Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT28", "APT29", "FIN4", "Inception", "Leviathan"]}], "mitre_attack_tactics": ["Command And Control", "Exfiltration", "Initial Access"], "datamodels": ["Endpoint", "Network_Resolution", "Network_Traffic"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery"]}, "detection_names": ["ESCU - Detect Spike in blocked Outbound Traffic from your AWS - Rule", "ESCU - Clients Connecting to Multiple DNS Servers - Rule", "ESCU - Detect Long DNS TXT Record Response - Rule", "ESCU - Detection of DNS Tunnels - Rule", "ESCU - DNS Query Requests Resolved by Unauthorized DNS Servers - Rule", "ESCU - DNS Exfiltration Using Nslookup App - Rule", "ESCU - Excessive Usage of NSLOOKUP App - Rule", "ESCU - Windows Remote Access Software Hunt - Rule", "ESCU - Detect DGA domains using pretrained model in DSDL - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule", "ESCU - Detect Large Outbound ICMP Packets - Rule", "ESCU - DNS Query Length Outliers - MLTK - Rule", "ESCU - DNS Query Length With High Standard Deviation - Rule", "ESCU - Excessive DNS Failures - Rule", "ESCU - Multiple Archive Files Http Post Traffic - Rule", "ESCU - Plain HTTP POST Exfiltrated Data - Rule", "ESCU - Prohibited Network Traffic Allowed - Rule", "ESCU - Protocol or Port Mismatch - Rule", "ESCU - TOR Traffic - Rule"], "investigation_names": ["ESCU - AWS Investigate User Activities By ARN - Response Task", "ESCU - AWS Network ACL Details from ID - Response Task", "ESCU - AWS Network Interface details via resourceId - Response Task", "ESCU - Get All AWS Activity From IP Address - Response Task", "ESCU - Get DNS Server History for a host - Response Task", "ESCU - Get DNS traffic ratio - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Process Information For Port Activity - Response Task", "ESCU - Get Process Responsible For The DNS Traffic - Response Task"], "baseline_names": ["ESCU - Baseline of blocked outbound traffic from AWS", "ESCU - Baseline of DNS Query Length - MLTK", "ESCU - Count of Unique IPs Connecting to Ports"], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Detect Spike in blocked Outbound Traffic from your AWS", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Clients Connecting to Multiple DNS Servers", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}}, {"name": "Detect Long DNS TXT Record Response", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}}, {"name": "Detection of DNS Tunnels", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}}, {"name": "DNS Query Requests Resolved by Unauthorized DNS Servers", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DNS"}]}}, {"name": "DNS Exfiltration Using Nslookup App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Excessive Usage of NSLOOKUP App", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Windows Remote Access Software Hunt", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Access Software"}]}}, {"name": "Detect DGA domains using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Generation Algorithms"}]}}, {"name": "Detect hosts connecting to dynamic domain providers", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}, {"name": "Detect Large Outbound ICMP Packets", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Non-Application Layer Protocol"}]}}, {"name": "DNS Query Length Outliers - MLTK", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DNS"}, {"mitre_attack_technique": "Application Layer Protocol"}]}}, {"name": "DNS Query Length With High Standard Deviation", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Excessive DNS Failures", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DNS"}, {"mitre_attack_technique": "Application Layer Protocol"}]}}, {"name": "Multiple Archive Files Http Post Traffic", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Plain HTTP POST Exfiltrated Data", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Prohibited Network Traffic Allowed", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Protocol or Port Mismatch", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "TOR Traffic", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Multi-hop Proxy"}]}}]}, {"name": "Compromised User Account", "author": "Mauricio Velazco, Bhavin Patel, Splunk", "date": "2023-01-19", "version": 1, "id": "19669154-e9d1-4a01-b144-e6592a078092", "description": "Monitor for activities and techniques associated with Compromised User Account attacks.", "narrative": "Compromised User Account occurs when cybercriminals gain unauthorized access to accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. By posing as the real user, cyber-criminals can change account details, send out phishing emails, steal financial information or sensitive data, or use any stolen information to access further accounts within the organization. This analytic storic groups detections that can help security operations teams identify the potential signs of Compromised User Accounts.", "references": ["https://www.proofpoint.com/us/threat-reference/compromised-account"], "tags": {"name": "Compromised User Account", "analytic_story": "Compromised User Account", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1556.006", "mitre_attack_technique": "Multi-Factor Authentication", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1098.005", "mitre_attack_technique": "Device Registration", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1185", "mitre_attack_technique": "Browser Session Hijacking", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}, {"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1110.001", "mitre_attack_technique": "Password Guessing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["FIN13"]}], "mitre_attack_tactics": ["Collection", "Credential Access", "Defense Evasion", "Discovery", "Initial Access", "Persistence", "Privilege Escalation", "Resource Development"], "datamodels": ["Authentication", "Change"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"]}, "detection_names": ["ESCU - PingID Mismatch Auth Source and Verification Response - Rule", "ESCU - PingID Multiple Failed MFA Requests For User - Rule", "ESCU - PingID New MFA Method After Credential Reset - Rule", "ESCU - PingID New MFA Method Registered For User - Rule", "ESCU - Abnormally High Number Of Cloud Infrastructure API Calls - Rule", "ESCU - ASL AWS Concurrent Sessions From Different Ips - Rule", "ESCU - ASL AWS Password Policy Changes - Rule", "ESCU - AWS Concurrent Sessions From Different Ips - Rule", "ESCU - AWS Console Login Failed During MFA Challenge - Rule", "ESCU - AWS High Number Of Failed Authentications For User - Rule", "ESCU - AWS High Number Of Failed Authentications From Ip - Rule", "ESCU - AWS Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - AWS Password Policy Changes - Rule", "ESCU - AWS Successful Console Authentication From Multiple IPs - Rule", "ESCU - Azure AD Concurrent Sessions From Different Ips - Rule", "ESCU - Azure AD High Number Of Failed Authentications For User - Rule", "ESCU - Azure AD High Number Of Failed Authentications From Ip - Rule", "ESCU - Azure AD New MFA Method Registered For User - Rule", "ESCU - Azure AD Successful Authentication From Different Ips - Rule", "ESCU - Detect AWS Console Login by User from New City - Rule", "ESCU - Detect AWS Console Login by User from New Country - Rule", "ESCU - Detect AWS Console Login by User from New Region - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Bhavin Patel, Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "PingID Mismatch Auth Source and Verification Response", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}, {"mitre_attack_technique": "Multi-Factor Authentication"}, {"mitre_attack_technique": "Device Registration"}]}}, {"name": "PingID Multiple Failed MFA Requests For User", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "PingID New MFA Method After Credential Reset", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}, {"mitre_attack_technique": "Multi-Factor Authentication"}, {"mitre_attack_technique": "Device Registration"}]}}, {"name": "PingID New MFA Method Registered For User", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}, {"mitre_attack_technique": "Multi-Factor Authentication"}, {"mitre_attack_technique": "Device Registration"}]}}, {"name": "Abnormally High Number Of Cloud Infrastructure API Calls", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "ASL AWS Concurrent Sessions From Different Ips", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Browser Session Hijacking"}]}}, {"name": "ASL AWS Password Policy Changes", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Policy Discovery"}]}}, {"name": "AWS Concurrent Sessions From Different Ips", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Browser Session Hijacking"}]}}, {"name": "AWS Console Login Failed During MFA Challenge", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}}, {"name": "AWS High Number Of Failed Authentications For User", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Policy Discovery"}]}}, {"name": "AWS High Number Of Failed Authentications From Ip", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}}, {"name": "AWS Multiple Users Failing To Authenticate From Ip", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}}, {"name": "AWS Password Policy Changes", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Policy Discovery"}]}}, {"name": "AWS Successful Console Authentication From Multiple IPs", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "Azure AD Concurrent Sessions From Different Ips", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Browser Session Hijacking"}]}}, {"name": "Azure AD High Number Of Failed Authentications For User", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}]}}, {"name": "Azure AD High Number Of Failed Authentications From Ip", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}, {"mitre_attack_technique": "Password Spraying"}]}}, {"name": "Azure AD New MFA Method Registered For User", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}}, {"name": "Azure AD Successful Authentication From Different Ips", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}, {"mitre_attack_technique": "Password Spraying"}]}}, {"name": "Detect AWS Console Login by User from New City", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "Detect AWS Console Login by User from New Country", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "Detect AWS Console Login by User from New Region", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}]}, {"name": "Credential Dumping", "author": "Rico Valdez, Splunk", "date": "2020-02-04", "version": 3, "id": "854d78bf-d0e2-4f4e-b05c-640905f86d7a", "description": "Uncover activity consistent with credential dumping, a technique wherein attackers compromise systems and attempt to obtain and exfiltrate passwords. The threat actors use these pilfered credentials to further escalate privileges and spread throughout a target environment. The included searches in this Analytic Story are designed to identify attempts to credential dumping.", "narrative": "Credential dumping&#151;gathering credentials from a target system, often hashed or encrypted&#151;is a common attack technique. Even though the credentials may not be in plain text, an attacker can still exfiltrate the data and set to cracking it offline, on their own systems. The threat actors target a variety of sources to extract them, including the Security Accounts Manager (SAM), Local Security Authority (LSA), NTDS from Domain Controllers, or the Group Policy Preference (GPP) files.\\\nOnce attackers obtain valid credentials, they use them to move throughout a target network with ease, discovering new systems and identifying assets of interest. Credentials obtained in this manner typically include those of privileged users, which may provide access to more sensitive information and system operations.\\\nThe detection searches in this Analytic Story monitor access to the Local Security Authority Subsystem Service (LSASS) process, the usage of shadowcopies for credential dumping and some other techniques for credential dumping.", "references": ["https://attack.mitre.org/wiki/Technique/T1003", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html"], "tags": {"name": "Credential Dumping", "analytic_story": "Credential Dumping", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1078.003", "mitre_attack_technique": "Local Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "FIN10", "HAFNIUM", "Kimsuky", "PROMETHIUM", "Tropic Trooper", "Turla"]}, {"mitre_attack_id": "T1552.001", "mitre_attack_technique": "Credentials In Files", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "FIN13", "Fox Kitten", "Kimsuky", "Leafminer", "MuddyWater", "OilRig", "TA505", "TeamTNT"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003.006", "mitre_attack_technique": "DCSync", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Earth Lusca", "LAPSUS$"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Execution", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Authentication", "Change", "Endpoint"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Dump LSASS via procdump Rename - Rule", "ESCU - Unsigned Image Loaded by LSASS - Rule", "ESCU - Access LSASS Memory for Dump Creation - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - Create Remote Thread into LSASS - Rule", "ESCU - Creation of lsass Dump with Taskmgr - Rule", "ESCU - Creation of Shadow Copy - Rule", "ESCU - Creation of Shadow Copy with wmic and powershell - Rule", "ESCU - Credential Dumping via Copy Command from Shadow Copy - Rule", "ESCU - Credential Dumping via Symlink to Shadow Copy - Rule", "ESCU - Detect Copy of ShadowCopy with Script Block Logging - Rule", "ESCU - Detect Credential Dumping through LSASS access - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Dump LSASS via procdump - Rule", "ESCU - Enable WDigest UseLogonCredential Registry - Rule", "ESCU - Esentutl SAM Copy - Rule", "ESCU - Extraction of Registry Hives - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - Potential password in username - Rule", "ESCU - SAM Database File Access Attempt - Rule", "ESCU - SecretDumps Offline NTDS Dumping Tool - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - Windows AD Replication Request Initiated by User Account - Rule", "ESCU - Windows AD Replication Request Initiated from Unsanctioned Location - Rule", "ESCU - Windows Credential Dumping LSASS Memory Createdump - Rule", "ESCU - Windows Hunting System Account Targeting Lsass - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Non-System Account Targeting Lsass - Rule", "ESCU - Windows Possible Credential Dumping - Rule"], "investigation_names": ["ESCU - Investigate Failed Logins for Multiple Destinations - Response Task", "ESCU - Investigate Pass the Hash Attempts - Response Task", "ESCU - Investigate Pass the Ticket Attempts - Response Task", "ESCU - Investigate Previous Unseen User - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Dump LSASS via procdump Rename", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}]}}, {"name": "Unsigned Image Loaded by LSASS", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}]}}, {"name": "Access LSASS Memory for Dump Creation", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Attempted Credential Dump From Registry via Reg exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Create Remote Thread into LSASS", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Creation of lsass Dump with Taskmgr", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Creation of Shadow Copy", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Creation of Shadow Copy with wmic and powershell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Credential Dumping via Copy Command from Shadow Copy", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Credential Dumping via Symlink to Shadow Copy", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Detect Copy of ShadowCopy with Script Block Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Detect Credential Dumping through LSASS access", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Dump LSASS via procdump", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Enable WDigest UseLogonCredential Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Esentutl SAM Copy", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Extraction of Registry Hives", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Ntdsutil Export NTDS", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Potential password in username", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Local Accounts"}, {"mitre_attack_technique": "Credentials In Files"}]}}, {"name": "SAM Database File Access Attempt", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "SecretDumps Offline NTDS Dumping Tool", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Windows AD Replication Request Initiated by User Account", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DCSync"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows AD Replication Request Initiated from Unsanctioned Location", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DCSync"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows Credential Dumping LSASS Memory Createdump", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}]}}, {"name": "Windows Hunting System Account Targeting Lsass", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows Mimikatz Binary Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows Non-System Account Targeting Lsass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows Possible Credential Dumping", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}]}, {"name": "CVE-2022-40684 Fortinet Appliance Auth bypass", "author": "Michael Haag, Splunk", "date": "2022-10-14", "version": 1, "id": "55721831-577e-41be-beef-bdc03c81486a", "description": "Fortinet recently patched a critical authentication bypass vulnerability in their FortiOS, FortiProxy, and FortiSwitchManager projects CVE-2022-40684.", "narrative": "FortiOS exposes a management web portal that allows a user configure the system. Additionally, a user can SSH into the system which exposes a locked down CLI interface. Any HTTP requests to the management interface of the system that match the conditions above should be cause for concern. An attacker can use this vulnerability to do just about anything they want to the vulnerable system. This includes changing network configurations, adding new users, and initiating packet captures. Note that this is not the only way to exploit this vulnerability and there may be other sets of conditions that work. For instance, a modified version of this exploit uses the User-Agent Node.js. This exploit seems to follow a trend among recently discovered enterprise software vulnerabilities where HTTP headers are improperly validated or overly trusted. (ref Horizon3.ai)", "references": ["https://www.wordfence.com/blog/2022/10/threat-advisory-cve-2022-40684-fortinet-appliance-auth-bypass/", "https://www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684/", "https://github.com/horizon3ai/CVE-2022-40684", "https://attackerkb.com/topics/QWOxGIKkGx/cve-2022-40684/rapid7-analysis", "https://www.greynoise.io/blog/fortios-authentication-bypass"], "tags": {"name": "CVE-2022-40684 Fortinet Appliance Auth bypass", "analytic_story": "CVE-2022-40684 Fortinet Appliance Auth bypass", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}], "mitre_attack_tactics": ["Initial Access", "Persistence"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery", "Installation"]}, "detection_names": ["ESCU - Fortinet Appliance Auth bypass - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Fortinet Appliance Auth bypass", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}]}, {"name": "CVE-2023-21716 Word RTF Heap Corruption", "author": "Michael Haag, Splunk", "date": "2023-03-10", "version": 1, "id": "b1aeaf2c-8496-42e7-b2f7-15c328bc75d9", "description": "A proof-of-concept for CVE-2023-21716, a critical vulnerability in Microsoft Word that allows remote code execution utilizing a heap corruption in rich text files.", "narrative": "This analytic story covers content that will assist organizations in identifying potential RTF RCE abuse on endpoints. The vulnerability was assigned a 9.8 out of 10 severity score, with Microsoft addressing it in the February Patch Tuesday security updates along with a couple of workarounds. Security researcher Joshua Drake last year discovered the vulnerability in Microsoft Office''s \"wwlib.dll\" and sent Microsoft a technical advisory containing proof-of-concept (PoC) code showing the issue is exploitable. A remote attacker could potentially take advantage of the issue to execute code with the same privileges as the victim that opens a malicious .RTF document. Delivering the malicious file to a victim can be as easy as an attachment to an email, although plenty of other methods exist. Microsoft warns that users don''t have to open a malicious RTF document and simply loading the file in the Preview Pane is enough for the compromise to start. (BleepingComputer, 2023)", "references": ["https://www.bleepingcomputer.com/news/security/proof-of-concept-released-for-critical-microsoft-word-rce-bug/"], "tags": {"name": "CVE-2023-21716 Word RTF Heap Corruption", "analytic_story": "CVE-2023-21716 Word RTF Heap Corruption", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - Office Application Drop Executable - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Winword Spawning Cmd - Rule", "ESCU - Winword Spawning PowerShell - Rule", "ESCU - Winword Spawning Windows Script Host - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Office Application Drop Executable", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Winword Spawning Cmd", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Winword Spawning PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Winword Spawning Windows Script Host", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}]}, {"name": "CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server", "author": "Michael Haag, Splunk", "date": "2023-10-04", "version": 1, "id": "ead8eb10-9e7c-4a07-a44c-c6e73997a1a3", "description": "On October 4, 2023, Atlassian disclosed a critical privilege escalation vulnerability, CVE-2023-22515, affecting on-premises instances of Confluence Server and Confluence Data Center. This flaw might allow external attackers to exploit accessible Confluence instances, creating unauthorized Confluence administrator accounts. Indicators suggest the vulnerability is remotely exploitable. The affected versions range from 8.0.0 to 8.5.1, but versions prior to 8.0.0 and Atlassian Cloud sites are unaffected. Atlassian advises customers to update to a fixed version or implement mitigation strategies. Indicators of compromise (IoCs) and mitigation steps, such as blocking access to /setup/* endpoints, are provided.", "narrative": "Upon Atlassian's disclosure of CVE-2023-22515, there's an immediate need to assess the threat landscape of on-premises Confluence installations. As the vulnerability affects privilege escalation and may be exploited remotely, SIEM solutions should be poised to detect potential threats.\\\nBy monitoring for specific indicators of compromise, security teams can get ahead of any potential breaches. Key indicators include unexpected members in the 'confluence-administrator' group, newly created user accounts, and specific HTTP requests to /setup/*.action endpoints. Any unusual spikes or patterns associated with these indicators might signify an ongoing or attempted exploitation. \\\nFurthermore, an audit trail of past logs is essential. Analyzing older logs might uncover any unnoticed exploitation, allowing for a post-incident analysis and ensuring affected systems are patched or isolated. An alert mechanism should be established for any access or changes related to /setup/* endpoints. \\\nIn parallel, updating the affected Confluence Server and Data Center versions to the fixed releases is paramount. If immediate updates aren't feasible, interim mitigation measures, such as blocking external network access to /setup/*, should be implemented, and logs around this activity should be monitored.", "references": ["https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html", "https://www.rapid7.com/blog/post/2023/10/04/etr-cve-2023-22515-zero-day-privilege-escalation-in-confluence-server-and-data-center/"], "tags": {"name": "CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server", "analytic_story": "CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - Confluence CVE-2023-22515 Trigger Vulnerability - Rule", "ESCU - Confluence Data Center and Server Privilege Escalation - Rule", "ESCU - Web Remote ShellServlet Access - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Confluence CVE-2023-22515 Trigger Vulnerability", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}, {"name": "Confluence Data Center and Server Privilege Escalation", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}, {"name": "Web Remote ShellServlet Access", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}]}, {"name": "CVE-2023-23397 Outlook Elevation of Privilege", "author": "Michael Haag, Splunk", "date": "2023-03-15", "version": 1, "id": "b459911b-551f-480f-a402-18cf89ca1e9c", "description": "Microsoft has released CVE-2023-23397 to address the critical elevation of privilege (EoP) vulnerability affecting Microsoft Outlook for Windows.", "narrative": "Microsoft Threat Intelligence discovered limited, targeted abuse of a vulnerability in Microsoft Outlook for Windows that allows for new technology LAN manager (NTLM) credential theft. Microsoft has released CVE-2023-23397 to address the critical elevation of privilege (EoP) vulnerability affecting Microsoft Outlook for Windows. We strongly recommend all customers update Microsoft Outlook for Windows to remain secure.\\ CVE-2023-23397 is a critical EoP vulnerability in Microsoft Outlook that is triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server. No user interaction is required.\\ The connection to the remote SMB server sends the user''s NTLM negotiation message, which the attacker can then relay for authentication against other systems that support NTLM authentication. Online services such as Microsoft 365 do not support NTLM authentication and are not vulnerable to being attacked by these messages. (2023, Microsoft)", "references": ["https://twitter.com/ACEResponder/status/1636116096506818562?s=20", "https://twitter.com/domchell/status/1635999068282408962?s=20", "https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/", "https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/"], "tags": {"name": "CVE-2023-23397 Outlook Elevation of Privilege", "analytic_story": "CVE-2023-23397 Outlook Elevation of Privilege", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}], "mitre_attack_tactics": ["Exfiltration"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Actions on Objectives"]}, "detection_names": ["ESCU - Windows Rundll32 WebDAV Request - Rule", "ESCU - Windows Rundll32 WebDav With Network Connection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Rundll32 WebDAV Request", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}}, {"name": "Windows Rundll32 WebDav With Network Connection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}}]}, {"name": "CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "author": "Michael Haag, Splunk", "date": "2023-07-11", "version": 1, "id": "dd7fb691-63d6-47ad-9a7f-1b9005cefad2", "description": "CVE-2023-36884 is an unpatched zero-day vulnerability affecting Windows and Microsoft Office products. The vulnerability allows for remote code execution through specially crafted Microsoft Office documents, enabling an attacker to operate in the context of the victim. As of now, there are no security updates available. However, users of Microsoft Defender for Office and the \"Block all Office applications from creating child processes\" Attack Surface Reduction Rule are safeguarded against this exploit. For other users, temporary mitigation can be achieved by adding specific application names to a designated registry key.", "narrative": "CVE-2023-36884 is a serious security vulnerability that affects a range of Microsoft Office products and Windows systems. It is a zero-day flaw, meaning it was already being exploited before Microsoft became aware of it or had a chance to develop a patch. \\\nAn attacker exploiting this vulnerability would create a Microsoft Office document containing malicious code. This document, when opened by the victim, allows for remote code execution, giving the attacker the ability to run their own code on the victim's machine. This poses a significant risk as the attacker could perform actions like data theft, system damage, or creating backdoors for future access. \\\nCurrently, there is no security patch available from Microsoft, which makes the issue more critical. Microsoft is working on investigating these vulnerabilities and will likely provide a security update either through their monthly release cycle or an out-of-cycle update, based on the urgency. \\\nIn the meantime, users of Microsoft Defender for Office and those utilizing the \"Block all Office applications from creating child processes\" Attack Surface Reduction Rule are protected from attempts to exploit this vulnerability. This is because these protections add an extra layer of security, blocking the malicious code from executing. \\\nFor users who are not using these protections, Microsoft recommends a workaround by adding specific application names to a particular Windows registry key (HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION) with data set as \"1\". This action aims to mitigate the risk until a permanent fix is available. \\\nThe disclosure of this flaw involved multiple entities including Microsoft Threat Intelligence, Vlad Stolyarov, Clement Lecigne and Bahare Sabouri from Google's Threat Analysis Group (TAG), Paul Rascagneres and Tom Lancaster from Volexity, and the Microsoft Office Product Group Security Team. This collective effort indicates the severity and importance of addressing this issue.", "references": ["https://gist.github.com/MHaggis/22ad19081300493e70ce0b873e98b2d0", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884", "https://www.bleepingcomputer.com/news/microsoft/microsoft-july-2023-patch-tuesday-warns-of-6-zero-days-132-flaws/", "https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/"], "tags": {"name": "CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "analytic_story": "CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - MSHTML Module Load in Office Product - Rule", "ESCU - Office Document Spawned Child Process To Download - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning BITSAdmin - Rule", "ESCU - Office Product Spawning CertUtil - Rule", "ESCU - Office Product Spawning MSHTA - Rule", "ESCU - Office Product Spawning Rundll32 with no DLL - Rule", "ESCU - Office Product Spawning Windows Script Host - Rule", "ESCU - Office Product Spawning Wmic - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "MSHTML Module Load in Office Product", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Document Spawned Child Process To Download", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning BITSAdmin", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning CertUtil", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning MSHTA", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning Rundll32 with no DLL", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning Windows Script Host", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning Wmic", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}]}, {"name": "CyclopsBLink", "author": "Teoderick Contreras, Splunk", "date": "2022-04-07", "version": 1, "id": "7c75b1c8-dfff-46f1-8250-e58df91b6fd9", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the cyclopsblink malware including firewall modification, spawning more process, botnet c2 communication, defense evasion and etc. Cyclops Blink is a Linux ELF executable compiled for 32-bit x86 and PowerPC architecture that has targeted several network devices. The complete list of targeted devices is unknown at this time, but WatchGuard FireBox has specifically been listed as a target. The modular malware consists of core components and modules that are deployed as child processes using the Linux API fork. At this point, four modules have been identified that download and upload files, gather system information and contain updating mechanisms for the malware itself. Additional modules can be downloaded and executed from the Command And Control (C2) server.", "narrative": "Adversaries may use this technique to maximize the impact on the target organization in operations where network wide availability interruption is the goal.", "references": ["https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf", "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html"], "tags": {"name": "CyclopsBLink", "analytic_story": "Cyclops BLink", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1036.004", "mitre_attack_technique": "Masquerade Task or Service", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT41", "BITTER", "BackdoorDiplomacy", "Carbanak", "FIN13", "FIN6", "FIN7", "Fox Kitten", "Higaisa", "Kimsuky", "Lazarus Group", "Magic Hound", "Naikon", "PROMETHIUM", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Linux Iptables Firewall Modification - Rule", "ESCU - Linux Kworker Process In Writable Process Path - Rule", "ESCU - Linux Stdout Redirection To Dev Null File - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux Iptables Firewall Modification", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Linux Kworker Process In Writable Process Path", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerade Task or Service"}, {"mitre_attack_technique": "Masquerading"}]}}, {"name": "Linux Stdout Redirection To Dev Null File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}]}, {"name": "DarkCrystal RAT", "author": "Teoderick Contreras, Splunk", "date": "2022-07-26", "version": 1, "id": "639e6006-0885-4847-9394-ddc2902629bf", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the DcRat malware including ddos, spawning more process, botnet c2 communication, defense evasion and etc. The DcRat malware is known commercial backdoor that was first released in 2018. This tool was sold in underground forum and known to be one of the cheapest commercial RATs. DcRat is modular and bespoke plugin framework make it a very flexible option, helpful for a range of nefearious uses.", "narrative": "Adversaries may use this technique to maximize the impact on the target organization in operations where network wide availability interruption is the goal.", "references": ["https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor", "https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat"], "tags": {"name": "DarkCrystal RAT", "analytic_story": "DarkCrystal RAT", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1592.001", "mitre_attack_technique": "Hardware", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1590.005", "mitre_attack_technique": "IP Addresses", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["Andariel", "HAFNIUM", "Magic Hound"]}, {"mitre_attack_id": "T1590", "mitre_attack_technique": "Gather Victim Network Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["HAFNIUM"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1124", "mitre_attack_technique": "System Time Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Darkhotel", "Higaisa", "Lazarus Group", "Sidewinder", "The White Company", "Turla", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Command And Control", "Defense Evasion", "Discovery", "Execution", "Impact", "Initial Access", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - Any Powershell DownloadFile - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Windows Command Shell DCRat ForkBomb Payload - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows Gather Victim Host Information Camera - Rule", "ESCU - Windows Gather Victim Network Info Through Ip Check Web Services - Rule", "ESCU - Windows High File Deletion Frequency - Rule", "ESCU - Windows Ingress Tool Transfer Using Explorer - Rule", "ESCU - Windows System LogOff Commandline - Rule", "ESCU - Windows System Reboot CommandLine - Rule", "ESCU - Windows System Shutdown CommandLine - Rule", "ESCU - Windows System Time Discovery W32tm Delay - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule", "ESCU - Winword Spawning Cmd - Rule", "ESCU - Winword Spawning PowerShell - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}}, {"name": "Malicious PowerShell Process - Execution Policy Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Windows Command Shell DCRat ForkBomb Payload", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "System Network Connections Discovery"}, {"mitre_attack_technique": "System Owner/User Discovery"}, {"mitre_attack_technique": "System Shutdown/Reboot"}, {"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows Gather Victim Host Information Camera", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hardware"}, {"mitre_attack_technique": "Gather Victim Host Information"}]}}, {"name": "Windows Gather Victim Network Info Through Ip Check Web Services", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "IP Addresses"}, {"mitre_attack_technique": "Gather Victim Network Information"}]}}, {"name": "Windows High File Deletion Frequency", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Windows Ingress Tool Transfer Using Explorer", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Windows System LogOff Commandline", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}}, {"name": "Windows System Reboot CommandLine", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}}, {"name": "Windows System Shutdown CommandLine", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}}, {"name": "Windows System Time Discovery W32tm Delay", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Time Discovery"}]}}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Winword Spawning Cmd", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Winword Spawning PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}]}, {"name": "DarkGate Malware", "author": "Michael Haag, Splunk", "date": "2023-10-31", "version": 1, "id": "a4727b27-9e68-48f0-94a2-253cfb30c15d", "description": "Telekom Security CTI has uncovered a new phishing-driven malware campaign distributing DarkGate malware. This campaign utilizes stolen email threads to trick users into downloading malicious payloads via hyperlinks. An initial false link to Emotet stirred the security community, but deeper analysis confirmed its true identity as DarkGate, with characteristics like AutoIt scripts and a known command-and-control protocol. This report by Fabian Marquardt details the intricate infection mechanisms, including MSI and VBS file deliveries, sophisticated evasion techniques, and a robust configuration extraction method surpassing current standards. The single developer behind DarkGate, active on cybercrime forums, has shifted the malware's use from private to a rent-out model, implying an expected rise in its deployment. Researchers have also developed a decryption technique for the DarkGate malware, which aids in static analysis and detection, though it requires careful validation to avoid false positives.", "narrative": "Telekom Security CTi has recently put a spotlight on the proliferation of DarkGate malware via a sophisticated malspam campaign, initially mistaken for the notorious Emotet malware. The campaign smartly manipulates stolen email conversations, embedding hyperlinks that, once clicked, activate a malware download. Fabian Marquardt's analysis traces the infection's footprint, revealing a dual delivery mechanism through MSI and VBS files. These files, cloaked in legitimate wrappers or obscured with junk code, ultimately download the malware via embedded scripts. \\\nMarquardt delves into the AutoIt script-based infection, uncovering the calculated use of compiled scripts and base64-encoded data to disguise the execution of malicious shellcode. The subsequent stages of infection exhibit the malware's capability to evade detection, leveraging memory allocation techniques to bypass security measures. Marquardt also explores the loader's function, which decrypts further malicious payloads by interacting with the script's encoded components. \\\nThe analytical narrative captures a cross-section of the cybersecurity landscape, reflecting the shift in DarkGate's operational strategy from exclusive use by the developer to a broader dissemination through a Malware-as-a-Service (MaaS) model. This transition suggests an anticipated escalation in DarkGate-related attacks. \\\nSignificantly, the report contributes to cybersecurity defenses by outlining a more effective method for extracting malware configurations, providing the community with the means to anticipate and mitigate the evolving threats posed by this pernicious malware. With the insights gained, researchers and security professionals are better equipped to adapt their strategies, constructing more robust defenses against the sophisticated tactics employed by DarkGate and similar malware strains.", "references": ["https://github.security.telekom.com/2023/08/darkgate-loader.html", "https://redcanary.com/blog/intelligence-insights-october-2023"], "tags": {"name": "DarkGate Malware", "analytic_story": "DarkGate Malware", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MoustachedBouncer", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}, {"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "Dragonfly", "FIN13", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT", "Wizard Spider"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1070.005", "mitre_attack_technique": "Network Share Connection Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Threat Group-3390"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1531", "mitre_attack_technique": "Account Access Removal", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.009", "mitre_attack_technique": "Regsvcs/Regasm", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021.006", "mitre_attack_technique": "Windows Remote Management", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Chimera", "FIN13", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1134.002", "mitre_attack_technique": "Create Process with Token", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Lazarus Group", "Turla"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN13", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "Volt Typhoon", "ZIRCONIUM"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1218.007", "mitre_attack_technique": "Msiexec", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Machete", "Molerats", "Rancor", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}], "mitre_attack_tactics": ["Collection", "Credential Access", "Defense Evasion", "Discovery", "Execution", "Impact", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Authentication", "Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Create local admin accounts using net exe - Rule", "ESCU - Create or delete windows shares using net exe - Rule", "ESCU - Delete ShadowCopy With PowerShell - Rule", "ESCU - Deleting Of Net Users - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Regasm Spawning a Process - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Execution of File with Multiple Extensions - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - Powershell Remote Services Add TrustedHost - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - Windows Access Token Manipulation SeDebugPrivilege - Rule", "ESCU - Windows Archive Collected Data via Rar - Rule", "ESCU - Windows AutoIt3 Execution - Rule", "ESCU - Windows CAB File on Disk - Rule", "ESCU - Windows Credentials from Password Stores Chrome Extension Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows Credentials from Password Stores Creation - Rule", "ESCU - Windows Credentials from Password Stores Deletion - Rule", "ESCU - Windows Credentials from Password Stores Query - Rule", "ESCU - Windows Indicator Removal Via Rmdir - Rule", "ESCU - Windows Modify Registry AuthenticationLevelOverride - Rule", "ESCU - Windows Modify Registry DisableRemoteDesktopAntiAlias - Rule", "ESCU - Windows Modify Registry DisableSecuritySettings - Rule", "ESCU - Windows Modify Registry DontShowUI - Rule", "ESCU - Windows Modify Registry ProxyEnable - Rule", "ESCU - Windows Modify Registry ProxyServer - Rule", "ESCU - Windows MSIExec Spawn WinDBG - Rule", "ESCU - Windows System Reboot CommandLine - Rule", "ESCU - Windows System Shutdown CommandLine - Rule", "ESCU - Windows WinDBG Spawning AutoIt3 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}}, {"name": "Create local admin accounts using net exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "Create or delete windows shares using net exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Network Share Connection Removal"}]}}, {"name": "Delete ShadowCopy With PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Deleting Of Net Users", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Access Removal"}]}}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Detect Regasm Spawning a Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Execution of File with Multiple Extensions", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Remote Services Add TrustedHost", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Remote Management"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Windows Access Token Manipulation SeDebugPrivilege", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create Process with Token"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}, {"name": "Windows Archive Collected Data via Rar", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}}, {"name": "Windows AutoIt3 Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows CAB File on Disk", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Windows Credentials from Password Stores Chrome Extension Access", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows Credentials from Password Stores Creation", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}]}}, {"name": "Windows Credentials from Password Stores Deletion", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}]}}, {"name": "Windows Credentials from Password Stores Query", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}]}}, {"name": "Windows Indicator Removal Via Rmdir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Windows Modify Registry AuthenticationLevelOverride", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry DisableRemoteDesktopAntiAlias", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry DisableSecuritySettings", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry DontShowUI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry ProxyEnable", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry ProxyServer", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows MSIExec Spawn WinDBG", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Msiexec"}]}}, {"name": "Windows System Reboot CommandLine", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}}, {"name": "Windows System Shutdown CommandLine", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}}, {"name": "Windows WinDBG Spawning AutoIt3", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}]}, {"name": "Data Destruction", "author": "Teoderick Contreras, Splunk", "date": "2023-04-06", "version": 1, "id": "4ae5c0d1-cebd-47d1-bfce-71bf096e38aa", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the data destruction, including deleting files, overwriting files, wiping disk and unrecoverable file encryption. This analytic story may cover several known activities related to malware implants used in geo-political war to wipe disks or files to interrupt the network-wide operation of a targeted organization. Analytics can detect the behavior of \"DoubleZero Destructor\", \"CaddyWiper\", \"AcidRain\", \"AwfulShred\", \"Hermetic Wiper\", \"Swift Slicer\", \"Whisper Gate\" and many more.", "narrative": "Adversaries may partially or completely overwrite the contents of a storage device rendering the data irrecoverable through the storage interface or using 3rd party drivers to directly access disk content like Master Boot Record to wipe it. Some of these attacks were seen in geo-political war to impair the operation of targeted organizations or to interrupt network-wide services.", "references": ["https://attack.mitre.org/techniques/T1485/", "https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/", "https://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware", "https://www.splunk.com/en_us/blog/security/threat-advisory-strt-ta02-destructive-software.html", "https://www.splunk.com/en_us/blog/security/detecting-hermeticwiper.html", "https://www.splunk.com/en_us/blog/security/threat-update-doublezero-destructor.html", "https://www.splunk.com/en_us/blog/security/threat-update-caddywiper.html", "https://www.splunk.com/en_us/blog/security/strt-ta03-cpe-destructive-software.html", "https://www.splunk.com/en_us/blog/security/threat-update-cyclopsblink.html", "https://www.splunk.com/en_us/blog/security/threat-update-acidrain-wiper.html", "https://www.splunk.com/en_us/blog/security/threat-update-industroyer2.html", "https://www.splunk.com/en_us/blog/security/threat-advisory-swiftslicer-wiper-strt-ta03.html"], "tags": {"name": "Data Destruction", "analytic_story": "Data Destruction", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1547.014", "mitre_attack_technique": "Active Setup", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1562.006", "mitre_attack_technique": "Indicator Blocking", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1053.003", "mitre_attack_technique": "Cron", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT38", "Rocke"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TEMP.Veles", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1200", "mitre_attack_technique": "Hardware Additions", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["DarkVishnya"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1053.006", "mitre_attack_technique": "Systemd Timers", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1059.004", "mitre_attack_technique": "Unix Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT41", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1037", "mitre_attack_technique": "Boot or Logon Initialization Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "Rocke"]}, {"mitre_attack_id": "T1037.001", "mitre_attack_technique": "Logon Script (Windows)", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "Cobalt Group"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1546.008", "mitre_attack_technique": "Accessibility Features", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT3", "APT41", "Axiom", "Deep Panda", "Fox Kitten"]}, {"mitre_attack_id": "T1497", "mitre_attack_technique": "Virtualization/Sandbox Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": ["Darkhotel"]}, {"mitre_attack_id": "T1497.003", "mitre_attack_technique": "Time Based Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1021.006", "mitre_attack_technique": "Windows Remote Management", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Chimera", "FIN13", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1218.014", "mitre_attack_technique": "MMC", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1027.005", "mitre_attack_technique": "Indicator Removal from Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT3", "Deep Panda", "GALLIUM", "OilRig", "Patchwork", "TEMP.Veles", "Turla"]}, {"mitre_attack_id": "T1546.015", "mitre_attack_technique": "Component Object Model Hijacking", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1547.012", "mitre_attack_technique": "Print Processors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1546.012", "mitre_attack_technique": "Image File Execution Options Injection", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["TEMP.Veles"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1134.001", "mitre_attack_technique": "Token Impersonation/Theft", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "FIN8"]}, {"mitre_attack_id": "T1546.002", "mitre_attack_technique": "Screensaver", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1059.005", "mitre_attack_technique": "Visual Basic", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT33", "APT37", "APT38", "APT39", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Earth Lusca", "FIN13", "FIN4", "FIN7", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "Transparent Tribe", "Turla", "WIRTE", "Windshift"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1547.003", "mitre_attack_technique": "Time Providers", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}, {"mitre_attack_id": "T1588.002", "mitre_attack_technique": "Tool", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT19", "APT28", "APT29", "APT32", "APT33", "APT38", "APT39", "APT41", "Aoqin Dragon", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Carbanak", "Chimera", "Cleaver", "Cobalt Group", "CopyKittens", "DarkHydrus", "DarkVishnya", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN5", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "GALLIUM", "Gorgon Group", "HEXANE", "Inception", "IndigoZebra", "Ke3chang", "Kimsuky", "LAPSUS$", "Lazarus Group", "Leafminer", "LuminousMoth", "Magic Hound", "Metador", "Moses Staff", "MuddyWater", "POLONIUM", "Patchwork", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "TA2541", "TA505", "TEMP.Veles", "Threat Group-3390", "Thrip", "Turla", "Volt Typhoon", "WIRTE", "Whitefly", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1561.002", "mitre_attack_technique": "Disk Structure Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1561", "mitre_attack_technique": "Disk Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1134.004", "mitre_attack_technique": "Parent PID Spoofing", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Defense Evasion", "Discovery", "Execution", "Impact", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation", "Reconnaissance", "Resource Development"], "datamodels": ["Email", "Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery", "Exploitation", "Installation", "Reconnaissance", "Weaponization"]}, "detection_names": ["ESCU - Email Attachments With Lots Of Spaces - Rule", "ESCU - Suspicious Email Attachment Extensions - Rule", "ESCU - Active Setup Registry Autostart - Rule", "ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - AdsiSearcher Account Discovery - Rule", "ESCU - Any Powershell DownloadFile - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - Change Default File Association - Rule", "ESCU - Child Processes of Spoolsv exe - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Detect Empire with PowerShell Script Block Logging - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Excessive File Deletion In WinDefender Folder - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Kerberoasting spn request with RC4 encryption - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux Data Destruction Command - Rule", "ESCU - Linux DD File Overwrite - Rule", "ESCU - Linux Deleting Critical Directory Using RM Command - Rule", "ESCU - Linux Deletion Of Cron Jobs - Rule", "ESCU - Linux Deletion Of Init Daemon Script - Rule", "ESCU - Linux Deletion Of Services - Rule", "ESCU - Linux Disable Services - Rule", "ESCU - Linux Hardware Addition SwapOff - Rule", "ESCU - Linux High Frequency Of File Deletion In Boot Folder - Rule", "ESCU - Linux High Frequency Of File Deletion In Etc Folder - Rule", "ESCU - Linux Impair Defenses Process Kill - Rule", "ESCU - Linux Indicator Removal Clear Cache - Rule", "ESCU - Linux Indicator Removal Service File Deletion - Rule", "ESCU - Linux Java Spawning Shell - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Shred Overwrite Command - Rule", "ESCU - Linux Stdout Redirection To Dev Null File - Rule", "ESCU - Linux Stop Services - Rule", "ESCU - Linux System Network Discovery - Rule", "ESCU - Linux System Reboot Via System Request Key - Rule", "ESCU - Linux Unix Shell Enable All SysRq Functions - Rule", "ESCU - Logon Script Event Trigger Execution - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Malicious PowerShell Process With Obfuscation Techniques - Rule", "ESCU - MSI Module Loaded by Non-System Binary - Rule", "ESCU - Overwriting Accessibility Binaries - Rule", "ESCU - Ping Sleep Batch Command - Rule", "ESCU - Possible Lateral Movement PowerShell Spawn - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - PowerShell Domain Enumeration - Rule", "ESCU - Powershell Enable SMB1Protocol Feature - Rule", "ESCU - Powershell Execute COM Object - Rule", "ESCU - Powershell Fileless Process Injection via GetProcAddress - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Powershell Processing Stream Of Data - Rule", "ESCU - Powershell Remove Windows Defender Directory - Rule", "ESCU - Powershell Using memory As Backing Store - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Print Processor Registry Autostart - Rule", "ESCU - Process Deleting Its Process File Path - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Runas Execution in CommandLine - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Screensaver Event Trigger Execution - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - Suspicious Process DNS Query Known Abuse Web Services - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Process With Discord DNS Query - Rule", "ESCU - Time Provider Persistence Registry - Rule", "ESCU - Unloading AMSI via Reflection - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows Data Destruction Recursive Exec Files Deletion - Rule", "ESCU - Windows Deleted Registry By A Non Critical Process File Path - Rule", "ESCU - Windows Disable Memory Crash Dump - Rule", "ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows File Without Extension In Critical Folder - Rule", "ESCU - Windows Hidden Schedule Task Settings - Rule", "ESCU - Windows High File Deletion Frequency - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows Linked Policies In ADSI Discovery - Rule", "ESCU - Windows Modify Show Compress Color And Info Tip Registry - Rule", "ESCU - Windows NirSoft AdvancedRun - Rule", "ESCU - Windows NirSoft Utilities - Rule", "ESCU - Windows Processes Killed By Industroyer2 Malware - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Windows Root Domain linked policies Discovery - Rule", "ESCU - Windows Terminating Lsass Process - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule", "ESCU - WMI Recon Running Process Or Services - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Email Attachments With Lots Of Spaces", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Suspicious Email Attachment Extensions", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Active Setup Registry Autostart", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Active Setup"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Add or Set Windows Defender Exclusion", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "AdsiSearcher Account Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Attempt To Stop Security Service", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Attempted Credential Dump From Registry via Reg exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Change Default File Association", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Change Default File Association"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Child Processes of Spoolsv exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Detect Empire with PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "ETW Registry Disabled", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Blocking"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Excessive File Deletion In WinDefender Folder", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Kerberoasting spn request with RC4 encryption", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Data Destruction Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Linux DD File Overwrite", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Linux Deleting Critical Directory Using RM Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Linux Deletion Of Cron Jobs", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Linux Deletion Of Init Daemon Script", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Linux Deletion Of Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Linux Disable Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Linux Hardware Addition SwapOff", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hardware Additions"}]}}, {"name": "Linux High Frequency Of File Deletion In Boot Folder", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Linux High Frequency Of File Deletion In Etc Folder", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Linux Impair Defenses Process Kill", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Linux Indicator Removal Clear Cache", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Linux Indicator Removal Service File Deletion", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Linux Java Spawning Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Shred Overwrite Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Linux Stdout Redirection To Dev Null File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Linux Stop Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Linux System Network Discovery", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Configuration Discovery"}]}}, {"name": "Linux System Reboot Via System Request Key", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}}, {"name": "Linux Unix Shell Enable All SysRq Functions", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unix Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Logon Script Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Boot or Logon Initialization Scripts"}, {"mitre_attack_technique": "Logon Script (Windows)"}]}}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}}, {"name": "Malicious PowerShell Process With Obfuscation Techniques", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "MSI Module Loaded by Non-System Binary", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Overwriting Accessibility Binaries", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Accessibility Features"}]}}, {"name": "Ping Sleep Batch Command", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Virtualization/Sandbox Evasion"}, {"mitre_attack_technique": "Time Based Evasion"}]}}, {"name": "Possible Lateral Movement PowerShell Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Remote Management"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "MMC"}]}}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "PowerShell Domain Enumeration", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Enable SMB1Protocol Feature", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "Indicator Removal from Tools"}]}}, {"name": "Powershell Execute COM Object", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Component Object Model Hijacking"}, {"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Fileless Process Injection via GetProcAddress", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Processing Stream Of Data", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Remove Windows Defender Directory", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Powershell Using memory As Backing Store", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Print Processor Registry Autostart", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Process Deleting Its Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}]}}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Registry Keys Used For Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Image File Execution Options Injection"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Runas Execution in CommandLine", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Access Token Manipulation"}, {"mitre_attack_technique": "Token Impersonation/Theft"}]}}, {"name": "Schtasks Run Task On Demand", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Screensaver Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Screensaver"}]}}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Suspicious Process DNS Query Known Abuse Web Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious Process With Discord DNS Query", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Time Provider Persistence Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Time Providers"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Unloading AMSI via Reflection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}, {"name": "Windows Data Destruction Recursive Exec Files Deletion", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Windows Deleted Registry By A Non Critical Process File Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Disable Memory Crash Dump", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Windows DotNet Binary in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}}, {"name": "Windows File Without Extension In Critical Folder", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Windows Hidden Schedule Task Settings", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Windows High File Deletion Frequency", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}}, {"name": "Windows Linked Policies In ADSI Discovery", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Windows Modify Show Compress Color And Info Tip Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows NirSoft AdvancedRun", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Tool"}]}}, {"name": "Windows NirSoft Utilities", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Tool"}]}}, {"name": "Windows Processes Killed By Industroyer2 Malware", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}}, {"name": "Windows Root Domain linked policies Discovery", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Windows Terminating Lsass Process", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "WMI Recon Running Process Or Services", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}]}}, {"name": "Wscript Or Cscript Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Parent PID Spoofing"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}]}, {"name": "Data Exfiltration", "author": "Bhavin Patel, Shannon Davis, Splunk", "date": "2023-05-17", "version": 2, "id": "66b0fe0c-1351-11eb-adc1-0242ac120002", "description": "Data exfiltration refers to the unauthorized transfer or extraction of sensitive or valuable data from a compromised system or network during a cyber attack. It is a critical phase in many targeted attacks, where adversaries aim to steal confidential information, such as intellectual property, financial records, personal data, or trade secrets.", "narrative": "This Analytic Story supports you to detect Tactics, Techniques and Procedures (TTPs) leveraged by adversaries to exfiltrate data from your environments. Exfiltration comes in many flavors and its done differently on every environment. Adversaries can collect data over encrypted or non-encrypted channels.  They can utilise Command And Control channels that are already in place to exfiltrate data.  They can use both standard data transfer protocols such as FTP, SCP, etc to exfiltrate data.  Or they can use non-standard protocols such as DNS, ICMP, etc with specially crafted fields to try and circumvent security technologies in place.\\\nTechniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission. In context of the cloud, this refers to the unauthorized transfer or extraction of sensitive data from cloud-based systems or services. It involves the compromise of cloud infrastructure or accounts to gain access to valuable information stored in the cloud environment. Attackers may employ various techniques, such as exploiting vulnerabilities, stealing login credentials, or using malicious code to exfiltrate data from cloud repositories or services without detection.", "references": ["https://attack.mitre.org/tactics/TA0010/", "https://bleemb.medium.com/data-exfiltration-with-native-aws-s3-features-c94ae4d13436", "https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-277a"], "tags": {"name": "Data Exfiltration", "analytic_story": "Data Exfiltration", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1537", "mitre_attack_technique": "Transfer Data to Cloud Account", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1119", "mitre_attack_technique": "Automated Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "Chimera", "Confucius", "FIN5", "FIN6", "Gamaredon Group", "Ke3chang", "Mustang Panda", "OilRig", "Patchwork", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}, {"mitre_attack_id": "T1114.003", "mitre_attack_technique": "Email Forwarding Rule", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Kimsuky", "LAPSUS$", "Silent Librarian"]}, {"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1114.001", "mitre_attack_technique": "Local Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "Chimera", "Magic Hound"]}, {"mitre_attack_id": "T1568.002", "mitre_attack_technique": "Domain Generation Algorithms", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "TA551"]}, {"mitre_attack_id": "T1041", "mitre_attack_technique": "Exfiltration Over C2 Channel", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Chimera", "Confucius", "GALLIUM", "Gamaredon Group", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "LuminousMoth", "MuddyWater", "Sandworm Team", "Stealth Falcon", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}], "mitre_attack_tactics": ["Collection", "Command And Control", "Credential Access", "Exfiltration", "Impact", "Initial Access"], "datamodels": ["Endpoint", "Network_Resolution", "Risk"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery", "Exploitation"]}, "detection_names": ["ESCU - AWS AMI Atttribute Modification for Exfiltration - Rule", "ESCU - AWS Disable Bucket Versioning - Rule", "ESCU - AWS EC2 Snapshot Shared Externally - Rule", "ESCU - AWS Exfiltration via Anomalous GetObject API Activity - Rule", "ESCU - AWS Exfiltration via Batch Service - Rule", "ESCU - AWS Exfiltration via Bucket Replication - Rule", "ESCU - AWS Exfiltration via DataSync Task - Rule", "ESCU - AWS Exfiltration via EC2 Snapshot - Rule", "ESCU - AWS S3 Exfiltration Behavior Identified - Rule", "ESCU - Gdrive suspicious file sharing - Rule", "ESCU - O365 PST export alert - Rule", "ESCU - O365 Suspicious Admin Email Forwarding - Rule", "ESCU - O365 Suspicious User Email Forwarding - Rule", "ESCU - Detect Certipy File Modifications - Rule", "ESCU - DNS Exfiltration Using Nslookup App - Rule", "ESCU - Excessive Usage of NSLOOKUP App - Rule", "ESCU - Linux Curl Upload File - Rule", "ESCU - Mailsniper Invoke functions - Rule", "ESCU - Detect DGA domains using pretrained model in DSDL - Rule", "ESCU - Detect SNICat SNI Exfiltration - Rule", "ESCU - Multiple Archive Files Http Post Traffic - Rule", "ESCU - Plain HTTP POST Exfiltrated Data - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": [], "author_company": "Shannon Davis, Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "AWS AMI Atttribute Modification for Exfiltration", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}}, {"name": "AWS Disable Bucket Versioning", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "AWS EC2 Snapshot Shared Externally", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}}, {"name": "AWS Exfiltration via Anomalous GetObject API Activity", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Automated Collection"}]}}, {"name": "AWS Exfiltration via Batch Service", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Automated Collection"}]}}, {"name": "AWS Exfiltration via Bucket Replication", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}}, {"name": "AWS Exfiltration via DataSync Task", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Automated Collection"}]}}, {"name": "AWS Exfiltration via EC2 Snapshot", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}}, {"name": "AWS S3 Exfiltration Behavior Identified", "source": "cloud", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}}, {"name": "Gdrive suspicious file sharing", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}]}}, {"name": "O365 PST export alert", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Email Collection"}]}}, {"name": "O365 Suspicious Admin Email Forwarding", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Email Forwarding Rule"}, {"mitre_attack_technique": "Email Collection"}]}}, {"name": "O365 Suspicious User Email Forwarding", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Email Forwarding Rule"}, {"mitre_attack_technique": "Email Collection"}]}}, {"name": "Detect Certipy File Modifications", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}, {"mitre_attack_technique": "Archive Collected Data"}]}}, {"name": "DNS Exfiltration Using Nslookup App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Excessive Usage of NSLOOKUP App", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Linux Curl Upload File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Mailsniper Invoke functions", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Email Collection"}, {"mitre_attack_technique": "Local Email Collection"}]}}, {"name": "Detect DGA domains using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Generation Algorithms"}]}}, {"name": "Detect SNICat SNI Exfiltration", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over C2 Channel"}]}}, {"name": "Multiple Archive Files Http Post Traffic", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Plain HTTP POST Exfiltrated Data", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}]}, {"name": "Data Protection", "author": "Bhavin Patel, Splunk", "date": "2017-09-14", "version": 1, "id": "91c676cf-0b23-438d-abee-f6335e1fce33", "description": "Fortify your data-protection arsenal--while continuing to ensure data confidentiality and integrity--with searches that monitor for and help you investigate possible signs of data exfiltration.", "narrative": "Attackers can leverage a variety of resources to compromise or exfiltrate enterprise data. Common exfiltration techniques include remote-access channels via low-risk, high-payoff active-collections operations and close-access operations using insiders and removable media. While this Analytic Story is not a comprehensive listing of all the methods by which attackers can exfiltrate data, it provides a useful starting point.", "references": ["https://www.cisecurity.org/controls/data-protection/", "https://www.sans.org/reading-room/whitepapers/dns/splunk-detect-dns-tunneling-37022", "https://umbrella.cisco.com/blog/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/"], "tags": {"name": "Data Protection", "analytic_story": "Data Protection", "category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}], "mitre_attack_tactics": ["Exfiltration", "Initial Access"], "datamodels": ["Change", "Change_Analysis", "Network_Resolution"], "kill_chain_phases": ["Actions on Objectives", "Delivery"]}, "detection_names": ["ESCU - Detect USB device insertion - Rule", "ESCU - Detection of DNS Tunnels - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule"], "investigation_names": ["ESCU - Get DNS Server History for a host - Response Task", "ESCU - Get DNS traffic ratio - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Process Responsible For The DNS Traffic - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect USB device insertion", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "Detection of DNS Tunnels", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}}, {"name": "Detect hosts connecting to dynamic domain providers", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}]}, {"name": "Deobfuscate-Decode Files or Information", "author": "Michael Haag, Splunk", "date": "2021-03-24", "version": 1, "id": "0bd01a54-8cbe-11eb-abcd-acde48001122", "description": "Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis.", "narrative": "An example of obfuscated files is `Certutil.exe` usage to encode a portable executable to a certificate file, which is base64 encoded, to hide the originating file. There are many utilities cross-platform to encode using XOR, using compressed .cab files to hide contents and scripting languages that may perform similar native Windows tasks. Triaging an event related will require the capability to review related process events and file modifications. Using a tool such as CyberChef will assist with identifying the encoding that was used, and potentially assist with decoding the contents.", "references": ["https://attack.mitre.org/techniques/T1140/"], "tags": {"name": "Deobfuscate-Decode Files or Information", "analytic_story": "Deobfuscate-Decode Files or Information", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1140", "mitre_attack_technique": "Deobfuscate/Decode Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT39", "BRONZE BUTLER", "Darkhotel", "Earth Lusca", "FIN13", "Gamaredon Group", "Gorgon Group", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Molerats", "MuddyWater", "OilRig", "Rocke", "Sandworm Team", "TA505", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "WIRTE", "ZIRCONIUM", "menuPass"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - CertUtil With Decode Argument - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "CertUtil With Decode Argument", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Deobfuscate/Decode Files or Information"}]}}]}, {"name": "AWS Cryptomining", "author": "David Dorsey, Splunk", "date": "2018-03-08", "version": 1, "id": "ced74200-8465-4bc3-bd2c-9a782eec6750", "description": "Monitor your AWS EC2 instances for activities related to cryptojacking/cryptomining. New instances that originate from previously unseen regions, users who launch abnormally high numbers of instances, or EC2 instances started by previously unseen users are just a few examples of potentially malicious behavior.", "narrative": "Cryptomining is an intentionally difficult, resource-intensive business. Its complexity was designed into the process to ensure that the number of blocks mined each day would remain steady. So, it's par for the course that ambitious, but unscrupulous, miners make amassing the computing power of large enterprises--a practice known as cryptojacking--a top priority. \\\nCryptojacking has attracted an increasing amount of media attention since its explosion in popularity in the fall of 2017. The attacks have moved from in-browser exploits and mobile phones to enterprise cloud services, such as Amazon Web Services (AWS). It's difficult to determine exactly how widespread the practice has become, since bad actors continually evolve their ability to escape detection, including employing unlisted endpoints, moderating their CPU usage, and hiding the mining pool's IP address behind a free CDN. \\\nWhen malicious miners appropriate a cloud instance, often spinning up hundreds of new instances, the costs can become astronomical for the account holder. So, it is critically important to monitor your systems for suspicious activities that could indicate that your network has been infiltrated. \\\nThis Analytic Story is focused on detecting suspicious new instances in your EC2 environment to help prevent such a disaster. It contains detection searches that will detect when a previously unused instance type or AMI is used. It also contains support searches to build lookup files to ensure proper execution of the detection searches.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "tags": {"name": "AWS Cryptomining", "analytic_story": "AWS Cryptomining", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": [], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Abnormally High AWS Instances Launched by User - Rule", "ESCU - Abnormally High AWS Instances Launched by User - MLTK - Rule", "ESCU - EC2 Instance Started In Previously Unseen Region - Rule", "ESCU - EC2 Instance Started With Previously Unseen AMI - Rule", "ESCU - EC2 Instance Started With Previously Unseen Instance Type - Rule", "ESCU - EC2 Instance Started With Previously Unseen User - Rule"], "investigation_names": ["ESCU - AWS Investigate User Activities By ARN - Response Task", "ESCU - Get EC2 Instance Details by instanceId - Response Task", "ESCU - Get EC2 Launch Details - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Investigate AWS activities via region name - Response Task"], "baseline_names": ["ESCU - Baseline of Excessive AWS Instances Launched by User - MLTK", "ESCU - Previously Seen EC2 AMIs", "ESCU - Previously Seen EC2 Instance Types", "ESCU - Previously Seen EC2 Launches By User", "ESCU - Previously Seen AWS Regions"], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Abnormally High AWS Instances Launched by User", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}]}}, {"name": "Abnormally High AWS Instances Launched by User - MLTK", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}]}}, {"name": "EC2 Instance Started In Previously Unseen Region", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "EC2 Instance Started With Previously Unseen AMI", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "EC2 Instance Started With Previously Unseen Instance Type", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "EC2 Instance Started With Previously Unseen User", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}]}}]}, {"name": "AWS Suspicious Provisioning Activities", "author": "David Dorsey, Splunk", "date": "2018-03-16", "version": 1, "id": "3338b567-3804-4261-9889-cf0ca4753c7f", "description": "Monitor your AWS provisioning activities for behaviors originating from unfamiliar or unusual locations. These behaviors may indicate that malicious activities are occurring somewhere within your network.", "narrative": "Because most enterprise AWS activities originate from familiar geographic locations, monitoring for activity from unknown or unusual regions is an important security measure. This indicator can be especially useful in environments where it is impossible to add specific IPs to an allow list because they vary. \\\nThis Analytic Story was designed to provide you with flexibility in the precision you employ in specifying legitimate geographic regions. It can be as specific as an IP address or a city, or as broad as a region (think state) or an entire country. By determining how precise you want your geographical locations to be and monitoring for new locations that haven't previously accessed your environment, you can detect adversaries as they begin to probe your environment. Since there are legitimate reasons for activities from unfamiliar locations, this is not a standalone indicator. Nevertheless, location can be a relevant piece of information that you may wish to investigate further.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "tags": {"name": "AWS Suspicious Provisioning Activities", "analytic_story": "AWS Suspicious Provisioning Activities", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": [], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - AWS Cloud Provisioning From Previously Unseen City - Rule", "ESCU - AWS Cloud Provisioning From Previously Unseen Country - Rule", "ESCU - AWS Cloud Provisioning From Previously Unseen IP Address - Rule", "ESCU - AWS Cloud Provisioning From Previously Unseen Region - Rule"], "investigation_names": ["ESCU - AWS Investigate Security Hub alerts by dest - Response Task", "ESCU - AWS Investigate User Activities By ARN - Response Task", "ESCU - Get All AWS Activity From City - Response Task", "ESCU - Get All AWS Activity From Country - Response Task", "ESCU - Get All AWS Activity From IP Address - Response Task", "ESCU - Get All AWS Activity From Region - Response Task"], "baseline_names": ["ESCU - Previously Seen AWS Provisioning Activity Sources"], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "AWS Cloud Provisioning From Previously Unseen City", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "AWS Cloud Provisioning From Previously Unseen Country", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "AWS Cloud Provisioning From Previously Unseen IP Address", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "AWS Cloud Provisioning From Previously Unseen Region", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}]}, {"name": "Common Phishing Frameworks", "author": "Splunk Research Team, Splunk", "date": "2019-04-29", "version": 1, "id": "9a64ab44-9214-4639-8163-7eaa2621bd61", "description": "Detect DNS and web requests to fake websites generated by the EvilGinx2 toolkit. These websites are designed to fool unwitting users who have clicked on a malicious link in a phishing email. ", "narrative": "As most people know, these emails use fraudulent domains, [email scraping](https://www.cyberscoop.com/emotet-trojan-phishing-scraping-templates-cofense-geodo/), familiar contact names inserted as senders, and other tactics to lure targets into clicking a malicious link, opening an attachment with a [nefarious payload](https://www.cyberscoop.com/emotet-trojan-phishing-scraping-templates-cofense-geodo/), or entering sensitive personal information that perpetrators may intercept. This attack technique requires a relatively low level of skill and allows adversaries to easily cast a wide net. Because phishing is a technique that relies on human psychology, you will never be able to eliminate this vulnerability 100%. But you can use automated detection to significantly reduce the risks.\\\nThis Analytic Story focuses on detecting signs of MiTM attacks enabled by [EvilGinx2](https://github.com/kgretzky/evilginx2), a toolkit that sets up a transparent proxy between the targeted site and the user. In this way, the attacker is able to intercept credentials and two-factor identification tokens. It employs a proxy template to allow a registered domain to impersonate targeted sites, such as Linkedin, Amazon, Okta, Github, Twitter, Instagram, Reddit, Office 365, and others. It can even register SSL certificates and camouflage them via a URL shortener, making them difficult to detect. Searches in this story look for signs of MiTM attacks enabled by EvilGinx2.", "references": ["https://github.com/kgretzky/evilginx2", "https://attack.mitre.org/techniques/T1192/", "https://breakdev.org/evilginx-advanced-phishing-with-two-factor-authentication-bypass/"], "tags": {"name": "Common Phishing Frameworks", "analytic_story": "Common Phishing Frameworks", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.003", "mitre_attack_technique": "Spearphishing via Service", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT29", "Ajax Security Team", "CURIUM", "Dark Caracal", "EXOTIC LILY", "FIN6", "Lazarus Group", "Magic Hound", "OilRig", "Windshift"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Network_Resolution", "Web"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - Detect DNS requests to Phishing Sites leveraging EvilGinx2 - Rule"], "investigation_names": ["ESCU - Get Certificate logs for a domain - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Splunk Research Team", "detections": [{"name": "Detect DNS requests to Phishing Sites leveraging EvilGinx2", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing via Service"}]}}]}, {"name": "Container Implantation Monitoring and Investigation", "author": "Rod Soto, Rico Valdez, Splunk", "date": "2020-02-20", "version": 1, "id": "aa0e28b1-0521-4b6f-9d2a-7b87e34af246", "description": "Use the searches in this story to monitor your Kubernetes registry repositories for upload, and deployment of potentially vulnerable, backdoor, or implanted containers. These searches provide information on source users, destination path, container names and repository names. The searches provide context to address Mitre T1525 which refers to container implantation upload to a company's repository either in Amazon Elastic Container Registry, Google Container Registry and Azure Container Registry.", "narrative": "Container Registrys provide a way for organizations to keep customized images of their development and infrastructure environment in private. However if these repositories are misconfigured or priviledge users credentials are compromise, attackers can potentially upload implanted containers which can be deployed across the organization. These searches allow operator to monitor who, when and what was uploaded to container registry.", "references": ["https://github.com/splunk/cloud-datamodel-security-research"], "tags": {"name": "Container Implantation Monitoring and Investigation", "analytic_story": "Container Implantation Monitoring and Investigation", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": [], "investigation_names": [], "baseline_names": [], "author_company": "Rico Valdez, Splunk", "author_name": "Rod Soto", "detections": []}, {"name": "Host Redirection", "author": "Rico Valdez, Splunk", "date": "2017-09-14", "version": 1, "id": "2e8948a5-5239-406b-b56b-6c50fe268af4", "description": "Detect evidence of tactics used to redirect traffic from a host to a destination other than the one intended--potentially one that is part of an adversary's attack infrastructure. An example is redirecting communications regarding patches and updates or misleading users into visiting a malicious website.", "narrative": "Attackers will often attempt to manipulate client communications for nefarious purposes. In some cases, an attacker may endeavor to modify a local host file to redirect communications with resources (such as antivirus or system-update services) to prevent clients from receiving patches or updates. In other cases, an attacker might use this tactic to have the client connect to a site that looks like the intended site, but instead installs malware or collects information from the victim. Additionally, an attacker may redirect a victim in order to execute a MITM attack and observe communications.", "references": ["https://blog.malwarebytes.com/cybercrime/2016/09/hosts-file-hijacks/"], "tags": {"name": "Host Redirection", "analytic_story": "Host Redirection", "category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1071.004", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT39", "APT41", "Chimera", "Cobalt Group", "FIN7", "Ke3chang", "LazyScripter", "OilRig", "Tropic Trooper"]}], "mitre_attack_tactics": ["Command And Control", "Exfiltration"], "datamodels": ["Endpoint", "Network_Resolution"], "kill_chain_phases": ["Actions on Objectives", "Command And Control"]}, "detection_names": ["ESCU - Clients Connecting to Multiple DNS Servers - Rule", "ESCU - DNS Query Requests Resolved by Unauthorized DNS Servers - Rule", "ESCU - Windows hosts file modification - Rule"], "investigation_names": ["ESCU - Get DNS Server History for a host - Response Task", "ESCU - Get Notable History - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Clients Connecting to Multiple DNS Servers", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}}, {"name": "DNS Query Requests Resolved by Unauthorized DNS Servers", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DNS"}]}}, {"name": "Windows hosts file modification", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "Kubernetes Sensitive Role Activity", "author": "Rod Soto, Splunk", "date": "2020-05-20", "version": 1, "id": "8b3984d2-17b6-47e9-ba43-a3376e70fdcc", "description": "This story addresses detection and response around Sensitive Role usage within a Kubernetes clusters against cluster resources and namespaces.", "narrative": "Kubernetes is the most used container orchestration platform, this orchestration platform contains sensitive roles within its architecture, specifically configmaps and secrets, if accessed by an attacker can lead to further compromise. These searches allow operator to detect suspicious requests against Kubernetes role activities", "references": ["https://www.splunk.com/en_us/blog/security/approaching-kubernetes-security-detecting-kubernetes-scan-with-splunk.html"], "tags": {"name": "Kubernetes Sensitive Role Activity", "analytic_story": "Kubernetes Sensitive Role Activity", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Kubernetes AWS detect most active service accounts by pod - Rule", "ESCU - Kubernetes AWS detect sensitive role access - Rule", "ESCU - Kubernetes Azure active service accounts by pod namespace - Rule", "ESCU - Kubernetes Azure detect RBAC authorization by account - Rule", "ESCU - Kubernetes Azure detect sensitive role access - Rule", "ESCU - Kubernetes GCP detect most active service accounts by pod - Rule", "ESCU - Kubernetes GCP detect RBAC authorizations by account - Rule", "ESCU - Kubernetes GCP detect sensitive role access - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rod Soto", "detections": [{"name": "Kubernetes AWS detect most active service accounts by pod", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes AWS detect sensitive role access", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes Azure active service accounts by pod namespace", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes Azure detect RBAC authorization by account", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes Azure detect sensitive role access", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes GCP detect most active service accounts by pod", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes GCP detect RBAC authorizations by account", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes GCP detect sensitive role access", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "Lateral Movement", "author": "David Dorsey, Splunk", "date": "2020-02-04", "version": 2, "id": "399d65dc-1f08-499b-a259-abd9051f38ad", "description": " DEPRECATED IN FAVOR OF ACTIVE DIRECTORY LATERAL MOVEMENT. Detect and investigate tactics, techniques, and procedures around how attackers move laterally within the enterprise. Because lateral movement can expose the adversary to detection, it should be an important focus for security analysts.", "narrative": "Once attackers gain a foothold within an enterprise, they will seek to expand their accesses and leverage techniques that facilitate lateral movement. Attackers will often spend quite a bit of time and effort moving laterally. Because lateral movement renders an attacker the most vulnerable to detection, it's an excellent focus for detection and investigation. Indications of lateral movement can include the abuse of system utilities (such as `psexec.exe`), unauthorized use of remote desktop services, `file/admin$` shares, WMI, PowerShell, pass-the-hash, or the abuse of scheduled tasks. Organizations must be extra vigilant in detecting lateral movement techniques and look for suspicious activity in and around high-value strategic network assets, such as Active Directory, which are often considered the primary target or \"crown jewels\" to a persistent threat actor. An adversary can use lateral movement for multiple purposes, including remote execution of tools, pivoting to additional systems, obtaining access to specific information or files, access to additional credentials, exfiltrating data, or delivering a secondary effect. Adversaries may use legitimate credentials alongside inherent network and operating-system functionality to remotely connect to other systems and remain under the radar of network defenders. If there is evidence of lateral movement, it is imperative for analysts to collect evidence of the associated offending hosts. For example, an attacker might leverage host A to gain access to host B. From there, the attacker may try to move laterally to host C. In this example, the analyst should gather as much information as possible from all three hosts. It is also important to collect authentication logs for each host, to ensure that the offending accounts are well-documented. Analysts should account for all processes to ensure that the attackers did not install unauthorized software.", "references": ["https://www.fireeye.com/blog/executive-perspective/2015/08/malware_lateral_move.html"], "tags": {"name": "Lateral Movement", "analytic_story": "Lateral Movement", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": [], "investigation_names": ["ESCU - Get History Of Email Sources - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Process Information For Port Activity - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": []}, {"name": "Monitor Backup Solution", "author": "David Dorsey, Splunk", "date": "2017-09-12", "version": 1, "id": "abe807c7-1eb6-4304-ac32-6e7aacdb891d", "description": "Address common concerns when monitoring your backup processes. These searches can help you reduce risks from ransomware, device theft, or denial of physical access to a host by backing up data on endpoints.", "narrative": "Having backups is a standard best practice that helps ensure continuity of business operations.  Having mature backup processes can also help you reduce the risks of many security-related incidents and streamline your response processes. The detection searches in this Analytic Story will help you identify systems that have backup failures, as well as systems that have not been backed up for an extended period of time. The story will also return the notable event history and all of the backup logs for an endpoint.", "references": ["https://www.carbonblack.com/2016/03/04/tracking-locky-ransomware-using-carbon-black/"], "tags": {"name": "Monitor Backup Solution", "analytic_story": "Monitor Backup Solution", "category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Compliance", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Extended Period Without Successful Netbackup Backups - Rule", "ESCU - Unsuccessful Netbackup backups - Rule"], "investigation_names": ["ESCU - All backup logs for host - Response Task", "ESCU - Get Notable History - Response Task"], "baseline_names": ["ESCU - Monitor Successful Backups", "ESCU - Monitor Unsuccessful Backups"], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Extended Period Without Successful Netbackup Backups", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Unsuccessful Netbackup backups", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "Monitor for Unauthorized Software", "author": "David Dorsey, Splunk", "date": "2017-09-15", "version": 1, "id": "8892a655-6205-43f7-abba-06460e38c8ae", "description": "Identify and investigate prohibited/unauthorized software or processes that may be concealing malicious behavior within your environment. ", "narrative": "It is critical to identify unauthorized software and processes running on enterprise endpoints and determine whether they are likely to be malicious. This Analytic Story requires the user to populate the Interesting Processes table within Enterprise Security with prohibited processes. An included support search will augment this data, adding information on processes thought to be malicious. This search requires data from endpoint detection-and-response solutions, endpoint data sources (such as Sysmon), or Windows Event Logs--assuming that the Active Directory administrator has enabled process tracking within the System Event Audit Logs.\\\nIt is important to investigate any software identified as suspicious, in order to understand how it was installed or executed. Analyzing authentication logs or any historic notable events might elicit additional investigative leads of interest. For best results, schedule the search to run every two weeks. ", "references": ["https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"], "tags": {"name": "Monitor for Unauthorized Software", "analytic_story": "Monitor for Unauthorized Software", "category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Compliance", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036.005", "mitre_attack_technique": "Match Legitimate Name or Location", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT32", "APT39", "APT41", "Aoqin Dragon", "BRONZE BUTLER", "BackdoorDiplomacy", "Blue Mockingbird", "Carbanak", "Chimera", "Darkhotel", "Earth Lusca", "FIN13", "FIN7", "Ferocious Kitten", "Fox Kitten", "Gamaredon Group", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Poseidon Group", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "Sowbug", "TA2541", "TEMP.Veles", "TeamTNT", "Transparent Tribe", "Tropic Trooper", "Volt Typhoon", "WIRTE", "Whitefly", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1595", "mitre_attack_technique": "Active Scanning", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Reconnaissance"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Reconnaissance"]}, "detection_names": ["ESCU - Prohibited Software On Endpoint - Rule", "ESCU - Attacker Tools On Endpoint - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": ["ESCU - Add Prohibited Processes to Enterprise Security"], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Prohibited Software On Endpoint", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Attacker Tools On Endpoint", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Match Legitimate Name or Location"}, {"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "Active Scanning"}]}}]}, {"name": "Office 365 Detections", "author": "Patrick Bareiss, Mauricio Velazco, Splunk", "date": "2020-12-16", "version": 2, "id": "1a51dd71-effc-48b2-abc4-3e9cdb61e5b9", "description": "Monitor for activities and anomalies indicative of potential threats within Office 365 environments.", "narrative": "Office 365 (O365) is Microsoft's cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. Given the centralized storage of sensitive organizational data within O365 and its widespread adoption, it has become a focal point for cybersecurity efforts. The platform's complexity, combined with its ubiquity, makes it both a valuable asset and a prime target for potential threats. As O365's importance grows, it increasingly becomes a target for attackers seeking to exploit organizational data and systems. Security teams should prioritize monitoring O365 not just because of the sensitive data it often holds, but also due to the myriad ways the platform can be exploited. Understanding and monitoring O365's security landscape is crucial for organizations to detect, respond to, and mitigate potential threats in a timely manner.", "references": ["https://i.blackhat.com/USA-20/Thursday/us-20-Bienstock-My-Cloud-Is-APTs-Cloud-Investigating-And-Defending-Office-365.pdf", "https://attack.mitre.org/matrices/enterprise/cloud/office365/", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-120a"], "tags": {"name": "Office 365 Detections", "analytic_story": "Office 365 Detections", "category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": [], "investigation_names": [], "baseline_names": [], "author_company": "Mauricio Velazco, Splunk", "author_name": "Patrick Bareiss", "detections": []}, {"name": "Spectre And Meltdown Vulnerabilities", "author": "David Dorsey, Splunk", "date": "2018-01-08", "version": 1, "id": "6d3306f6-bb2b-4219-8609-8efad64032f2", "description": "Assess and mitigate your systems' vulnerability to Spectre and Meltdown exploitation with the searches in this Analytic Story.", "narrative": "Meltdown and Spectre exploit critical vulnerabilities in modern CPUs that allow unintended access to data in memory. This Analytic Story will help you identify the systems can be patched for these vulnerabilities, as well as those that still need to be patched.", "references": ["https://meltdownattack.com/"], "tags": {"name": "Spectre And Meltdown Vulnerabilities", "analytic_story": "Spectre And Meltdown Vulnerabilities", "category": ["Vulnerability"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Vulnerabilities"], "kill_chain_phases": []}, "detection_names": ["ESCU - Spectre and Meltdown Vulnerable Systems - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": ["ESCU - Systems Ready for Spectre-Meltdown Windows Patch"], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Spectre and Meltdown Vulnerable Systems", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "Suspicious AWS EC2 Activities", "author": "Bhavin Patel, Splunk", "date": "2018-02-09", "version": 1, "id": "2e8948a5-5239-406b-b56b-6c50f1268af3", "description": "Use the searches in this Analytic Story to monitor your AWS EC2 instances for evidence of anomalous activity and suspicious behaviors, such as EC2 instances that originate from unusual locations or those launched by previously unseen users (among others). Included investigative searches will help you probe more deeply, when the information warrants it.", "narrative": "AWS CloudTrail is an AWS service that helps you enable governance, compliance, and risk auditing within your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. It is crucial for a company to monitor events and actions taken in the AWS Console, AWS command-line interface, and AWS SDKs and APIs to ensure that your EC2 instances are not vulnerable to attacks. This Analytic Story identifies suspicious activities in your AWS EC2 instances and helps you respond and investigate those activities.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "tags": {"name": "Suspicious AWS EC2 Activities", "analytic_story": "Suspicious AWS EC2 Activities", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": [], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Abnormally High AWS Instances Launched by User - Rule", "ESCU - Abnormally High AWS Instances Launched by User - MLTK - Rule", "ESCU - Abnormally High AWS Instances Terminated by User - Rule", "ESCU - Abnormally High AWS Instances Terminated by User - MLTK - Rule", "ESCU - EC2 Instance Started In Previously Unseen Region - Rule", "ESCU - EC2 Instance Started With Previously Unseen User - Rule"], "investigation_names": ["ESCU - AWS Investigate Security Hub alerts by dest - Response Task", "ESCU - AWS Investigate User Activities By ARN - Response Task", "ESCU - Get EC2 Instance Details by instanceId - Response Task", "ESCU - Get EC2 Launch Details - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Investigate AWS activities via region name - Response Task"], "baseline_names": ["ESCU - Baseline of Excessive AWS Instances Launched by User - MLTK", "ESCU - Baseline of Excessive AWS Instances Terminated by User - MLTK", "ESCU - Previously Seen EC2 Launches By User", "ESCU - Previously Seen AWS Regions"], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Abnormally High AWS Instances Launched by User", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}]}}, {"name": "Abnormally High AWS Instances Launched by User - MLTK", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}]}}, {"name": "Abnormally High AWS Instances Terminated by User", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}]}}, {"name": "Abnormally High AWS Instances Terminated by User - MLTK", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}]}}, {"name": "EC2 Instance Started In Previously Unseen Region", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "EC2 Instance Started With Previously Unseen User", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}]}}]}, {"name": "Unusual AWS EC2 Modifications", "author": "David Dorsey, Splunk", "date": "2018-04-09", "version": 1, "id": "73de57ef-0dfc-411f-b1e7-fa24428aeae0", "description": "Identify unusual changes to your AWS EC2 instances that may indicate malicious activity. Modifications to your EC2 instances by previously unseen users is an example of an activity that may warrant further investigation.", "narrative": "A common attack technique is to infiltrate a cloud instance and make modifications. The adversary can then secure access to your infrastructure or hide their activities. So it's important to stay alert to changes that may indicate that your environment has been compromised. \\\n Searches within this Analytic Story can help you detect the presence of a threat by monitoring for EC2 instances that have been created or changed--either by users that have never previously performed these activities or by known users who modify or create instances in a way that have not been done before. This story also provides investigative searches that help you go deeper once you detect suspicious behavior.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "tags": {"name": "Unusual AWS EC2 Modifications", "analytic_story": "Unusual AWS EC2 Modifications", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}], "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": [], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - EC2 Instance Modified With Previously Unseen User - Rule"], "investigation_names": ["ESCU - AWS Investigate User Activities By ARN - Response Task", "ESCU - Get EC2 Instance Details by instanceId - Response Task", "ESCU - Get Notable History - Response Task"], "baseline_names": ["ESCU - Previously Seen EC2 Modifications By User"], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "EC2 Instance Modified With Previously Unseen User", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}]}}]}, {"name": "Web Fraud Detection", "author": "Jim Apger, Splunk", "date": "2018-10-08", "version": 1, "id": "18bb45b9-7684-45c6-9e97-1fdd0d98c0a7", "description": "Monitor your environment for activity consistent with common attack techniques bad actors use when attempting to compromise web servers or other web-related assets.", "narrative": "The Federal Bureau of Investigations (FBI) defines Internet fraud as the use of Internet services or software with Internet access to defraud victims or to otherwise take advantage of them. According to the Bureau, Internet crime schemes are used to steal millions of dollars each year from victims and continue to plague the Internet through various methods. The agency includes phishing scams, data breaches, Denial of Service (DOS) attacks, email account compromise, malware, spoofing, and ransomware in this category.\\\nThese crimes are not the fraud itself, but rather the attack techniques commonly employed by fraudsters in their pursuit of data that enables them to commit malicious actssuch as obtaining and using stolen credit cards. They represent a serious problem that is steadily increasing and not likely to go away anytime soon.\\\nWhen developing a strategy for preventing fraud in your environment, its important to  look across all of your web services for evidence that attackers are abusing enterprise resources to enumerate systems, harvest data for secondary fraudulent activity, or abuse terms of service.This Analytic Story looks for evidence of common Internet attack techniques that could be indicative of web fraud in your environmentincluding account harvesting, anomalous user clickspeed, and password sharing across accounts, to name just a few.\\\nThe account-harvesting search focuses on web pages used for user-account registration. It detects the creation of a large number of user accounts using the same email domain name, a type of activity frequently seen in advance of a fraud campaign.\\\nThe anomalous clickspeed search looks for users who are moving through your website at a faster-than-normal speed or with a perfect click cadence (high periodicity or low standard deviation), which could indicate that the user is a script, not an actual human.\\\nAnother search detects incidents wherein a single password is used across multiple accounts, which may indicate that a fraudster has infiltrated your environment and embedded a common password within a script.", "references": ["https://www.fbi.gov/scams-and-safety/common-fraud-schemes/internet-fraud", "https://www.fbi.gov/news/stories/2017-internet-crime-report-released-050718"], "tags": {"name": "Web Fraud Detection", "analytic_story": "Web Fraud Detection", "category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Fraud Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": [], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Web Fraud - Account Harvesting - Rule", "ESCU - Web Fraud - Anomalous User Clickspeed - Rule", "ESCU - Web Fraud - Password Sharing Across Accounts - Rule"], "investigation_names": ["ESCU - Get Emails From Specific Sender - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Web Session Information via session id - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Jim Apger", "detections": [{"name": "Web Fraud - Account Harvesting", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create Account"}]}}, {"name": "Web Fraud - Anomalous User Clickspeed", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Web Fraud - Password Sharing Across Accounts", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "Detect Zerologon Attack", "author": "Rod Soto, Jose Hernandez, Stan Miskowicz, David Dorsey, Shannon Davis Splunk", "date": "2020-09-18", "version": 1, "id": "5d14a962-569e-4578-939f-f386feb63ce4", "description": "Uncover activity related to the execution of Zerologon CVE-2020-11472, a technique wherein attackers target a Microsoft Windows Domain Controller to reset its computer account password. The result from this attack is attackers can now provide themselves high privileges and take over Domain Controller. The included searches in this Analytic Story are designed to identify attempts to reset Domain Controller Computer Account via exploit code remotely or via the use of tool Mimikatz as payload carrier.", "narrative": "This attack is a privilege escalation technique, where attacker targets a Netlogon secure channel connection to a domain controller, using Netlogon Remote Protocol (MS-NRPC). This vulnerability exposes vulnerable Windows Domain Controllers to be targeted via unaunthenticated RPC calls which eventually reset Domain Contoller computer account ($) providing the attacker the opportunity to exfil domain controller credential secrets and assign themselve high privileges that can lead to domain controller and potentially complete network takeover. The detection searches in this Analytic Story use Windows Event viewer events and Sysmon events to detect attack execution, these searches monitor access to the Local Security Authority Subsystem Service (LSASS) process which is an indicator of the use of Mimikatz tool which has bee updated to carry this attack payload.", "references": ["https://attack.mitre.org/wiki/Technique/T1003", "https://github.com/SecuraBV/CVE-2020-1472", "https://www.secura.com/blog/zero-logon", "https://nvd.nist.gov/vuln/detail/CVE-2020-1472"], "tags": {"name": "Detect Zerologon Attack", "analytic_story": "Detect Zerologon Attack", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1210", "mitre_attack_technique": "Exploitation of Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "Dragonfly", "Earth Lusca", "FIN7", "Fox Kitten", "MuddyWater", "Threat Group-3390", "Tonto Team", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}], "mitre_attack_tactics": ["Credential Access", "Initial Access", "Lateral Movement"], "datamodels": [], "kill_chain_phases": ["Delivery", "Exploitation"]}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Detect Computer Changed with Anonymous Account - Rule", "ESCU - Detect Credential Dumping through LSASS access - Rule", "ESCU - Windows Possible Credential Dumping - Rule", "ESCU - Detect Zerologon via Zeek - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": [], "author_company": "Jose Hernandez, Stan Miskowicz, David Dorsey, Shannon Davis Splunk", "author_name": "Rod Soto", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Detect Computer Changed with Anonymous Account", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation of Remote Services"}]}}, {"name": "Detect Credential Dumping through LSASS access", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows Possible Credential Dumping", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Detect Zerologon via Zeek", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}]}, {"name": "Dev Sec Ops", "author": "Patrick Bareiss, Splunk", "date": "2021-08-18", "version": 1, "id": "0ca8c38e-631e-4b81-940c-f9c5450ce41e", "description": "This story is focused around detecting attacks on a DevSecOps lifeccycle which consists of the phases plan, code, build, test, release, deploy, operate and monitor.", "narrative": "DevSecOps is a collaborative framework, which thinks about application and infrastructure security from the start. This means that security tools are part of the continuous integration and continuous deployment pipeline. In this analytics story, we focused on detections around the tools used in this framework such as GitHub as a version control system, GDrive for the documentation, CircleCI as the CI/CD pipeline, Kubernetes as the container execution engine and multiple security tools such as Semgrep and Kube-Hunter.", "references": ["https://www.redhat.com/en/topics/devops/what-is-devsecops"], "tags": {"name": "Dev Sec Ops", "analytic_story": "Dev Sec Ops", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204.003", "mitre_attack_technique": "Malicious Image", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1554", "mitre_attack_technique": "Compromise Client Software Binary", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1195.002", "mitre_attack_technique": "Compromise Software Supply Chain", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT41", "Cobalt Group", "Dragonfly", "FIN7", "GOLD SOUTHFIELD", "Sandworm Team", "Threat Group-3390"]}, {"mitre_attack_id": "T1195", "mitre_attack_technique": "Supply Chain Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1199", "mitre_attack_technique": "Trusted Relationship", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "GOLD SOUTHFIELD", "LAPSUS$", "POLONIUM", "Sandworm Team", "Threat Group-3390", "menuPass"]}, {"mitre_attack_id": "T1195.001", "mitre_attack_technique": "Compromise Software Dependencies and Development Tools", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1567.002", "mitre_attack_technique": "Exfiltration to Cloud Storage", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["Chimera", "Confucius", "Earth Lusca", "FIN7", "HAFNIUM", "HEXANE", "Kimsuky", "Leviathan", "LuminousMoth", "POLONIUM", "Threat Group-3390", "Turla", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1567", "mitre_attack_technique": "Exfiltration Over Web Service", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT28", "Magic Hound"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1212", "mitre_attack_technique": "Exploitation for Credential Access", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1526", "mitre_attack_technique": "Cloud Service Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Credential Access", "Discovery", "Execution", "Exfiltration", "Initial Access", "Persistence"], "datamodels": ["Risk"], "kill_chain_phases": ["Actions on Objectives", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - AWS ECR Container Scanning Findings High - Rule", "ESCU - AWS ECR Container Scanning Findings Low Informational Unknown - Rule", "ESCU - AWS ECR Container Scanning Findings Medium - Rule", "ESCU - AWS ECR Container Upload Outside Business Hours - Rule", "ESCU - AWS ECR Container Upload Unknown User - Rule", "ESCU - Circle CI Disable Security Job - Rule", "ESCU - Circle CI Disable Security Step - Rule", "ESCU - GitHub Actions Disable Security Workflow - Rule", "ESCU - Github Commit Changes In Master - Rule", "ESCU - Github Commit In Develop - Rule", "ESCU - GitHub Dependabot Alert - Rule", "ESCU - GitHub Pull Request from Unknown User - Rule", "ESCU - Gsuite Drive Share In External Email - Rule", "ESCU - GSuite Email Suspicious Attachment - Rule", "ESCU - Gsuite Email Suspicious Subject With Attachment - Rule", "ESCU - Gsuite Email With Known Abuse Web Service Link - Rule", "ESCU - Gsuite Outbound Email With Attachment To External Domain - Rule", "ESCU - Gsuite Suspicious Shared File Name - Rule", "ESCU - Kubernetes Nginx Ingress LFI - Rule", "ESCU - Kubernetes Nginx Ingress RFI - Rule", "ESCU - Kubernetes Scanner Image Pulling - Rule", "ESCU - Risk Rule for Dev Sec Ops by Repository - Rule", "ESCU - Correlation by Repository and Risk - Rule", "ESCU - Correlation by User and Risk - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Patrick Bareiss", "detections": [{"name": "AWS ECR Container Scanning Findings High", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Malicious Image"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "AWS ECR Container Scanning Findings Low Informational Unknown", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Malicious Image"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "AWS ECR Container Scanning Findings Medium", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Malicious Image"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "AWS ECR Container Upload Outside Business Hours", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Malicious Image"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "AWS ECR Container Upload Unknown User", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Malicious Image"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "Circle CI Disable Security Job", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Client Software Binary"}]}}, {"name": "Circle CI Disable Security Step", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Client Software Binary"}]}}, {"name": "GitHub Actions Disable Security Workflow", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Software Supply Chain"}, {"mitre_attack_technique": "Supply Chain Compromise"}]}}, {"name": "Github Commit Changes In Master", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Trusted Relationship"}]}}, {"name": "Github Commit In Develop", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Trusted Relationship"}]}}, {"name": "GitHub Dependabot Alert", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Software Dependencies and Development Tools"}, {"mitre_attack_technique": "Supply Chain Compromise"}]}}, {"name": "GitHub Pull Request from Unknown User", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Software Dependencies and Development Tools"}, {"mitre_attack_technique": "Supply Chain Compromise"}]}}, {"name": "Gsuite Drive Share In External Email", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration to Cloud Storage"}, {"mitre_attack_technique": "Exfiltration Over Web Service"}]}}, {"name": "GSuite Email Suspicious Attachment", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Gsuite Email Suspicious Subject With Attachment", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Gsuite Email With Known Abuse Web Service Link", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Gsuite Outbound Email With Attachment To External Domain", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Gsuite Suspicious Shared File Name", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Kubernetes Nginx Ingress LFI", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Credential Access"}]}}, {"name": "Kubernetes Nginx Ingress RFI", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Credential Access"}]}}, {"name": "Kubernetes Scanner Image Pulling", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Service Discovery"}]}}, {"name": "Risk Rule for Dev Sec Ops by Repository", "source": "cloud", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Malicious Image"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "Correlation by Repository and Risk", "source": "deprecated", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Malicious Image"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "Correlation by User and Risk", "source": "deprecated", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Malicious Image"}, {"mitre_attack_technique": "User Execution"}]}}]}, {"name": "DHS Report TA18-074A", "author": "Rico Valdez, Splunk", "date": "2020-01-22", "version": 2, "id": "0c016e5c-88be-4e2c-8c6c-c2b55b4fb4ef", "description": "Monitor for suspicious activities associated with DHS Technical Alert US-CERT TA18-074A. Some of the activities that adversaries used in these compromises included spearfishing attacks, malware, watering-hole domains, many and more.", "narrative": "The frequency of nation-state cyber attacks has increased significantly over the last decade. Employing numerous tactics and techniques, these attacks continue to escalate in complexity. \\\nThere is a wide range of motivations for these state-sponsored hacks, including stealing valuable corporate, military, or diplomatic data&#1151;all of which could confer advantages in various arenas. They may also target critical infrastructure. \\\nOne joint Technical Alert (TA) issued by the Department of Homeland and the FBI in mid-March of 2018 attributed some cyber activity targeting utility infrastructure to operatives sponsored by the Russian government. The hackers executed spearfishing attacks, installed malware, employed watering-hole domains, and more. While they caused no physical damage, the attacks provoked fears that a nation-state could turn off water, redirect power, or compromise a nuclear power plant.\\\nSuspicious activities--spikes in SMB traffic, processes that launch netsh (to modify the network configuration), suspicious registry modifications, and many more--may all be events you may wish to investigate further. While the use of these technique may be an indication that a nation-state actor is attempting to compromise your environment, it is important to note that these techniques are often employed by other groups, as well.", "references": ["https://www.us-cert.gov/ncas/alerts/TA18-074A"], "tags": {"name": "DHS Report TA18-074A", "analytic_story": "DHS Report TA18-074A", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "Dragonfly", "FIN13", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT", "Wizard Spider"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1071.002", "mitre_attack_technique": "File Transfer Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Dragonfly", "Kimsuky", "SilverTerrier"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Magic Hound", "Rocke", "TeamTNT"]}], "mitre_attack_tactics": ["Command And Control", "Defense Evasion", "Execution", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Command And Control", "Exploitation", "Installation"]}, "detection_names": ["ESCU - First time seen command line argument - Rule", "ESCU - Create local admin accounts using net exe - Rule", "ESCU - Detect New Local Admin account - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Single Letter Process On Endpoint - Rule", "ESCU - Suspicious Reg exe Process - Rule", "ESCU - Detect Outbound SMB Traffic - Rule", "ESCU - SMB Traffic Spike - Rule", "ESCU - SMB Traffic Spike - MLTK - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process File Activity - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Process Information For Port Activity - Response Task"], "baseline_names": ["ESCU - Baseline of SMB Traffic - MLTK", "ESCU - Previously seen command line arguments"], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "First time seen command line argument", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Windows Command Shell"}]}}, {"name": "Create local admin accounts using net exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "Detect New Local Admin account", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Malicious PowerShell Process - Execution Policy Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Processes launching netsh", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Single Letter Process On Endpoint", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "User Execution"}, {"mitre_attack_technique": "Malicious File"}]}}, {"name": "Suspicious Reg exe Process", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Detect Outbound SMB Traffic", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File Transfer Protocols"}, {"mitre_attack_technique": "Application Layer Protocol"}]}}, {"name": "SMB Traffic Spike", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "SMB Traffic Spike - MLTK", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Remote Services"}]}}]}, {"name": "Disabling Security Tools", "author": "Rico Valdez, Splunk", "date": "2020-02-04", "version": 2, "id": "fcc27099-46a0-46b0-a271-5c7dab56b6f1", "description": "Looks for activities and techniques associated with the disabling of security tools on a Windows system, such as suspicious `reg.exe` processes, processes launching netsh, and many others.", "narrative": "Attackers employ a variety of tactics in order to avoid detection and operate without barriers. This often involves modifying the configuration of security tools to get around them or explicitly disabling them to prevent them from running. This Analytic Story includes searches that look for activity consistent with attackers attempting to disable various security mechanisms. Such activity may involve monitoring for suspicious registry activity, as this is where much of the configuration for Windows and various other programs reside, or explicitly attempting to shut down security-related services. Other times, attackers attempt various tricks to prevent specific programs from running, such as adding the certificates with which the security tools are signed to a block list (which would prevent them from running).", "references": ["https://attack.mitre.org/wiki/Technique/T1089", "https://blog.malwarebytes.com/cybercrime/2015/11/vonteera-adware-uses-certificates-to-disable-anti-malware/", "https://web.archive.org/web/20220425194457/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Tools-Report.pdf"], "tags": {"name": "Disabling Security Tools", "analytic_story": "Disabling Security Tools", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1553.004", "mitre_attack_technique": "Install Root Certificate", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1553", "mitre_attack_technique": "Subvert Trust Controls", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Axiom"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}], "mitre_attack_tactics": ["Defense Evasion", "Discovery", "Execution", "Impact", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Attempt To Add Certificate To Untrusted Store - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Suspicious Reg exe Process - Rule", "ESCU - Unload Sysmon Filter Driver - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": ["ESCU - Baseline of SMB Traffic - MLTK", "ESCU - Previously seen command line arguments"], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Attempt To Add Certificate To Untrusted Store", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Install Root Certificate"}, {"mitre_attack_technique": "Subvert Trust Controls"}]}}, {"name": "Attempt To Stop Security Service", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Processes launching netsh", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious Reg exe Process", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Unload Sysmon Filter Driver", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "System Network Connections Discovery"}, {"mitre_attack_technique": "System Owner/User Discovery"}, {"mitre_attack_technique": "System Shutdown/Reboot"}, {"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}]}, {"name": "DNS Amplification Attacks", "author": "Bhavin Patel, Splunk", "date": "2016-09-13", "version": 1, "id": "a563972b-d2e2-4978-b6ca-6e83e24af4d3", "description": "DNS poses a serious threat as a Denial of Service (DOS) amplifier, if it responds to `ANY` queries. This Analytic Story can help you detect attackers who may be abusing your company's DNS infrastructure to launch amplification attacks, causing Denial of Service to other victims.", "narrative": "The Domain Name System (DNS) is the protocol used to map domain names to IP addresses. It has been proven to work very well for its intended function. However if DNS is misconfigured, servers can be abused by attackers to levy amplification or redirection attacks against victims. Because DNS responses to `ANY` queries are so much larger than the queries themselves--and can be made with a UDP packet, which does not require a handshake--attackers can spoof the source address of the packet and cause much more data to be sent to the victim than if they sent the traffic themselves. The `ANY` requests are will be larger than normal DNS server requests, due to the fact that the server provides significant details, such as MX records and associated IP addresses. A large volume of this traffic can result in a DOS on the victim's machine. This misconfiguration leads to two possible victims, the first being the DNS servers participating in an attack and the other being the hosts that are the targets of the DOS attack.\\\nThe search in this story can help you to detect if attackers are abusing your company's DNS infrastructure to launch DNS amplification attacks causing Denial of Service to other victims.", "references": ["https://www.us-cert.gov/ncas/alerts/TA13-088A", "https://www.imperva.com/learn/application-security/dns-amplification/"], "tags": {"name": "DNS Amplification Attacks", "analytic_story": "DNS Amplification Attacks", "category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1498", "mitre_attack_technique": "Network Denial of Service", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1498.002", "mitre_attack_technique": "Reflection Amplification", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Impact"], "datamodels": ["Network_Resolution"], "kill_chain_phases": ["Actions on Objectives"]}, "detection_names": ["ESCU - Large Volume of DNS ANY Queries - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Large Volume of DNS ANY Queries", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Network Denial of Service"}, {"mitre_attack_technique": "Reflection Amplification"}]}}]}, {"name": "DNS Hijacking", "author": "Bhavin Patel, Splunk", "date": "2020-02-04", "version": 1, "id": "8169f17b-ef68-4b59-aa28-586907301221", "description": "Secure your environment against DNS hijacks with searches that help you detect and investigate unauthorized changes to DNS records.", "narrative": "Dubbed the Achilles heel of the Internet (see https://www.f5.com/labs/articles/threat-intelligence/dns-is-still-the-achilles-heel-of-the-internet-25613), DNS plays a critical role in routing web traffic but is notoriously vulnerable to attack. One reason is its distributed nature. It relies on unstructured connections between millions of clients and servers over inherently insecure protocols.\\\nThe gravity and extent of the importance of securing DNS from attacks is undeniable. The fallout of compromised DNS can be disastrous. Not only can hackers bring down an entire business, they can intercept confidential information, emails, and login credentials, as well. \\\nOn January 22, 2019, the US Department of Homeland Security 2019's Cybersecurity and Infrastructure Security Agency (CISA) raised awareness of some high-profile DNS hijacking attacks against infrastructure, both in the United States and abroad. It issued Emergency Directive 19-01 (see https://cyber.dhs.gov/ed/19-01/), which summarized the activity and required government agencies to take the following four actions, all within 10 days: \\\n1. For all .gov or other agency-managed domains, audit public DNS records on all authoritative and secondary DNS servers, verify that they resolve to the intended location or report them to CISA.\\\n1. Update the passwords for all accounts on systems that can make changes to each agency 2019's DNS records.\\\n1. Implement multi-factor authentication (MFA) for all accounts on systems that can make changes to each agency's 2019 DNS records or, if impossible, provide CISA with the names of systems, the reasons why MFA cannot be enabled within the required timeline, and an ETA for when it can be enabled.\\\n1. CISA will begin regular delivery of newly added certificates to Certificate Transparency (CT) logs for agency domains via the Cyber Hygiene service. Upon receipt, agencies must immediately begin monitoring CT log data for certificates issued that they did not request. If an agency confirms that a certificate was unauthorized, it must report the certificate to the issuing certificate authority and to CISA. Of course, it makes sense to put equivalent actions in place within your environment, as well. \\\nIn DNS hijacking, the attacker assumes control over an account or makes use of a DNS service exploit to make changes to DNS records. Once they gain access, attackers can substitute their own MX records, name-server records, and addresses, redirecting emails and traffic through their infrastructure, where they can read, copy, or modify information seen. They can also generate valid encryption certificates to help them avoid browser-certificate checks. In one notable attack on the Internet service provider, GoDaddy, the hackers altered Sender Policy Framework (SPF) records a relatively minor change that did not inflict excessive damage but allowed for more effective spam campaigns.\\\nThe searches in this Analytic Story help you detect and investigate activities that may indicate that DNS hijacking has taken place within your environment.", "references": ["https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", "https://umbrella.cisco.com/blog/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/", "http://www.noip.com/blog/2014/07/11/dynamic-dns-can-use-2/", "https://www.splunk.com/blog/2015/08/04/detecting-dynamic-dns-domains-in-splunk.html"], "tags": {"name": "DNS Hijacking", "analytic_story": "DNS Hijacking", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1071.004", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT39", "APT41", "Chimera", "Cobalt Group", "FIN7", "Ke3chang", "LazyScripter", "OilRig", "Tropic Trooper"]}, {"mitre_attack_id": "T1568.002", "mitre_attack_technique": "Domain Generation Algorithms", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "TA551"]}, {"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}], "mitre_attack_tactics": ["Command And Control", "Exfiltration", "Initial Access"], "datamodels": ["Network_Resolution"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery"]}, "detection_names": ["ESCU - Clients Connecting to Multiple DNS Servers - Rule", "ESCU - DNS Query Requests Resolved by Unauthorized DNS Servers - Rule", "ESCU - DNS record changed - Rule", "ESCU - Detect DGA domains using pretrained model in DSDL - Rule", "ESCU - Detect DNS Data Exfiltration using pretrained model in DSDL - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule", "ESCU - Detect suspicious DNS TXT records using pretrained model in DSDL - Rule"], "investigation_names": ["ESCU - Get DNS Server History for a host - Response Task"], "baseline_names": ["ESCU - Discover DNS records"], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Clients Connecting to Multiple DNS Servers", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}}, {"name": "DNS Query Requests Resolved by Unauthorized DNS Servers", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DNS"}]}}, {"name": "DNS record changed", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DNS"}]}}, {"name": "Detect DGA domains using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Generation Algorithms"}]}}, {"name": "Detect DNS Data Exfiltration using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}}, {"name": "Detect hosts connecting to dynamic domain providers", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}, {"name": "Detect suspicious DNS TXT records using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Generation Algorithms"}]}}]}, {"name": "sAMAccountName Spoofing and Domain Controller Impersonation", "author": "Mauricio Velazco, Splunk", "date": "2021-12-20", "version": 1, "id": "0244fdee-61be-11ec-900e-acde48001122", "description": "Monitor for activities and techniques associated with the exploitation of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287) vulnerabilities.", "narrative": "On November 9, 2021, Microsoft released patches to address two vulnerabilities that affect Windows Active Directory networks, sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287). On December 10, 2021, security researchers Charlie Clark and Andrew Schwartz released a blog post where they shared how to weaponise these vulnerabilities in a target network an the initial detection opportunities. When successfully exploited, CVE-2021-42278 and CVE-2021-42287 allow an adversary, who has stolen the credentials of a low priviled domain user, to obtain a Kerberos Service ticket for a Domain Controller computer account. The only requirement is to have network connectivity to a domain controller. This attack vector effectivelly allows attackers to escalate their privileges in an Active Directory from a regular domain user account and take control of a domain controller. While patches have been released to address these vulnerabilities, deploying detection controls for this attack may help help defenders identify attackers attempting exploitation.", "references": ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42278", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42287", "https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html"], "tags": {"name": "sAMAccountName Spoofing and Domain Controller Impersonation", "analytic_story": "sAMAccountName Spoofing and Domain Controller Impersonation", "category": ["Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "Chimera", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "Volt Typhoon", "Wizard Spider"]}], "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": [], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Suspicious Computer Account Name Change - Rule", "ESCU - Suspicious Kerberos Service Ticket Request - Rule", "ESCU - Suspicious Ticket Granting Ticket Request - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Suspicious Computer Account Name Change", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Domain Accounts"}]}}, {"name": "Suspicious Kerberos Service Ticket Request", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Domain Accounts"}]}}, {"name": "Suspicious Ticket Granting Ticket Request", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Domain Accounts"}]}}]}, {"name": "Domain Trust Discovery", "author": "Michael Haag, Splunk", "date": "2021-03-25", "version": 1, "id": "e6f30f14-8daf-11eb-a017-acde48001122", "description": "Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments.", "narrative": "Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain. Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct SID-History Injection, Pass the Ticket, and Kerberoasting. Domain trusts can be enumerated using the DSEnumerateDomainTrusts() Win32 API call, .NET methods, and LDAP. The Windows utility Nltest is known to be used by adversaries to enumerate domain trusts.", "references": ["https://attack.mitre.org/techniques/T1482/"], "tags": {"name": "Domain Trust Discovery", "analytic_story": "Domain Trust Discovery", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Discovery"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - DSQuery Domain Discovery - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Windows AdFind Exe - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "DSQuery Domain Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Trust Discovery"}]}}, {"name": "NLTest Domain Trust Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Trust Discovery"}]}}, {"name": "Windows AdFind Exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}]}, {"name": "Double Zero Destructor", "author": "Teoderick Contreras, Rod Soto, Splunk", "date": "2022-03-25", "version": 1, "id": "f56e8c00-3224-4955-9a6e-924ec7da1df7", "description": "Double Zero Destructor is a destructive payload that enumerates Domain Controllers and executes killswitch if detected. Overwrites files with Zero blocks or using MS Windows API calls such as NtFileOpen, NtFSControlFile. This payload also deletes registry hives HKCU,HKLM, HKU, HKLM BCD.", "narrative": "Double zero destructor enumerates domain controllers, delete registry hives and overwrites files using zero blocks and API calls.", "references": ["https://cert.gov.ua/article/38088", "https://blog.talosintelligence.com/2022/03/threat-advisory-doublezero.html"], "tags": {"name": "Double Zero Destructor", "analytic_story": "Double Zero Destructor", "category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}], "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Deleted Registry By A Non Critical Process File Path - Rule", "ESCU - Windows Terminating Lsass Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto, Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Windows Deleted Registry By A Non Critical Process File Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Terminating Lsass Process", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}]}, {"name": "Dynamic DNS", "author": "Bhavin Patel, Splunk", "date": "2018-09-06", "version": 2, "id": "8169f17b-ef68-4b59-aae8-586907301221", "description": "Detect and investigate hosts in your environment that may be communicating with dynamic domain providers. Attackers may leverage these services to help them avoid firewall blocks and deny lists.", "narrative": "Dynamic DNS services (DDNS) are legitimate low-cost or free services that allow users to rapidly update domain resolutions to IP infrastructure. While their usage can be benign, malicious actors can abuse DDNS to host harmful payloads or interactive-command-and-control infrastructure. These attackers will manually update or automate domain resolution changes by routing dynamic domains to IP addresses that circumvent firewall blocks and deny lists and frustrate a network defender's analytic and investigative processes. These searches will look for DNS queries made from within your infrastructure to suspicious dynamic domains and then investigate more deeply, when appropriate. While this list of top-level dynamic domains is not exhaustive, it can be dynamically updated as new suspicious dynamic domains are identified.", "references": ["https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", "https://umbrella.cisco.com/blog/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/", "http://www.noip.com/blog/2014/07/11/dynamic-dns-can-use-2/", "https://www.splunk.com/blog/2015/08/04/detecting-dynamic-dns-domains-in-splunk.html"], "tags": {"name": "Dynamic DNS", "analytic_story": "Dynamic DNS", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1071.001", "mitre_attack_technique": "Web Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Confucius", "Dark Caracal", "FIN13", "FIN4", "FIN8", "Gamaredon Group", "HAFNIUM", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LuminousMoth", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "OilRig", "Orangeworm", "Rancor", "Rocke", "Sandworm Team", "Sidewinder", "SilverTerrier", "Stealth Falcon", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "WIRTE", "Windshift", "Wizard Spider"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1568.002", "mitre_attack_technique": "Domain Generation Algorithms", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "TA551"]}, {"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}], "mitre_attack_tactics": ["Command And Control", "Exfiltration", "Initial Access"], "datamodels": ["Endpoint", "Network_Resolution", "Web"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery"]}, "detection_names": ["ESCU - Detect web traffic to dynamic domain providers - Rule", "ESCU - DNS Exfiltration Using Nslookup App - Rule", "ESCU - Excessive Usage of NSLOOKUP App - Rule", "ESCU - Detect DGA domains using pretrained model in DSDL - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule"], "investigation_names": ["ESCU - Get DNS Server History for a host - Response Task", "ESCU - Get DNS traffic ratio - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Process Responsible For The DNS Traffic - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect web traffic to dynamic domain providers", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Web Protocols"}]}}, {"name": "DNS Exfiltration Using Nslookup App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Excessive Usage of NSLOOKUP App", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Detect DGA domains using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Generation Algorithms"}]}}, {"name": "Detect hosts connecting to dynamic domain providers", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}]}, {"name": "Emotet Malware  DHS Report TA18-201A ", "author": "Bhavin Patel, Splunk", "date": "2020-01-27", "version": 1, "id": "bb9f5ed2-916e-4364-bb6d-91c310efcf52", "description": "Detect rarely used executables, specific registry paths that may confer malware survivability and persistence, instances where cmd.exe is used to launch script interpreters, and other indicators that the Emotet financial malware has compromised your environment.", "narrative": "The trojan downloader known as Emotet first surfaced in 2014, when it was discovered targeting the banking industry to steal credentials. However, according to a joint technical alert (TA) issued by three government agencies (https://www.us-cert.gov/ncas/alerts/TA18-201A), Emotet has evolved far beyond those beginnings to become what a ThreatPost article called a threat-delivery service(see https://threatpost.com/emotet-malware-evolves-beyond-banking-to-threat-delivery-service/134342/).  For example, in early 2018, Emotet was found to be using its loader function to spread the Quakbot and Ransomware variants. \\\nAccording to the TA, the the malware continues to be among the most costly and destructive malware affecting the private and public sectors. Researchers have linked it to the threat group Mealybug, which has also been on the security communitys radar since 2014.\\\nThe searches in this Analytic Story will help you find executables that are rarely used in your environment, specific registry paths that malware often uses to ensure survivability and persistence, instances where cmd.exe is used to launch script interpreters, and other indicators that Emotet or other malware has compromised your environment. ", "references": ["https://www.us-cert.gov/ncas/alerts/TA18-201A", "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", "https://www.vkremez.com/2017/05/emotet-banking-trojan-malware-analysis.html"], "tags": {"name": "Emotet Malware  DHS Report TA18-201A ", "analytic_story": "Emotet Malware  DHS Report TA18-201A ", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1072", "mitre_attack_technique": "Software Deployment Tools", "mitre_attack_tactics": ["Execution", "Lateral Movement"], "mitre_attack_groups": ["APT32", "Sandworm Team", "Silence", "Threat Group-1314"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}], "mitre_attack_tactics": ["Execution", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Email", "Endpoint", "Network_Traffic"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Email Attachments With Lots Of Spaces - Rule", "ESCU - Suspicious Email Attachment Extensions - Rule", "ESCU - Prohibited Software On Endpoint - Rule", "ESCU - Detect Use of cmd exe to Launch Script Interpreters - Rule", "ESCU - Detection of tools built by NirSoft - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - SMB Traffic Spike - Rule", "ESCU - SMB Traffic Spike - MLTK - Rule"], "investigation_names": ["ESCU - Get History Of Email Sources - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Process Information For Port Activity - Response Task"], "baseline_names": ["ESCU - Baseline of SMB Traffic - MLTK", "ESCU - Add Prohibited Processes to Enterprise Security"], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Email Attachments With Lots Of Spaces", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Suspicious Email Attachment Extensions", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Prohibited Software On Endpoint", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Detect Use of cmd exe to Launch Script Interpreters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}]}}, {"name": "Detection of tools built by NirSoft", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Software Deployment Tools"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "SMB Traffic Spike", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "SMB Traffic Spike - MLTK", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Remote Services"}]}}]}, {"name": "F5 Authentication Bypass with TMUI", "author": "Michael Haag, Splunk", "date": "2023-10-30", "version": 1, "id": "e4acbea6-75bb-4873-8c22-bc2da9525e89", "description": "Research into leading software revealed vulnerabilities in both Apache Tomcat and the F5 BIG-IP suite. Apache's AJP protocol vulnerability, designated CVE-2022-26377, relates to AJP request smuggling. Successful exploitation enables unauthorized system activities. F5 BIG-IP Virtual Edition exhibited a distinct vulnerability, an authentication bypass in the Traffic Management User Interface (TMUI), resulting in system compromise. Assigned CVE-2023-46747, this vulnerability also arose from request smuggling, bearing similarity to CVE-2022-26377. Given the wide adoption of both Apache Tomcat and F5 products, these vulnerabilities present grave risks to organizations. Remediation and vulnerability detection mechanisms are essential to address these threats effectively.", "narrative": "Both Apache Tomcat's AJP protocol and F5's BIG-IP Virtual Edition have been exposed to critical vulnerabilities. Apache's CVE-2022-26377 pertains to request smuggling by manipulating the \"Transfer-Encoding\" header. If successfully exploited, this allows attackers to bypass security controls and undertake unauthorized actions. \\\nSimilarly, F5 BIG-IP unveiled an authentication bypass vulnerability, CVE-2023-46747. Originating from the TMUI, this vulnerability leads to full system compromise. While distinct, it shares characteristics with Apache's vulnerability, primarily rooted in request smuggling. This vulnerability drew from past F5 CVEs, particularly CVE-2020-5902 and CVE-2022-1388, both previously exploited in real-world scenarios. These highlighted vulnerabilities in Apache HTTP and Apache Tomcat services, as well as authentication flaws in the F5 BIG-IP API.\\\nNuclei detection templates offer a proactive solution for identifying and mitigating these vulnerabilities. Integrated into vulnerability management frameworks, these templates notify organizations of potential risks, forming a base for further detection strategies. For detection engineers, understanding these vulnerabilities is crucial. Recognizing the mechanisms and effects of request smuggling, especially in Apache's and F5's context, provides a roadmap to effective detection and response. Prompt detection is a linchpin, potentially stymieing further, more destructive attacks.", "references": ["https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/", "https://github.com/projectdiscovery/nuclei-templates/blob/3b0bb71bd627c6c3139e1d06c866f8402aa228ae/http/cves/2023/CVE-2023-46747.yaml"], "tags": {"name": "F5 Authentication Bypass with TMUI", "analytic_story": "F5 Authentication Bypass with TMUI", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Web"], "kill_chain_phases": []}, "detection_names": ["ESCU - F5 TMUI Authentication Bypass - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "F5 TMUI Authentication Bypass", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "F5 BIG-IP Vulnerability CVE-2022-1388", "author": "Michael Haag, Splunk", "date": "2022-05-10", "version": 1, "id": "0367b177-f8d6-4c4b-a62d-86f52a590bff", "description": "CVE-2022-1388 is a unauthenticated remote code execution vulnerablity against BIG-IP iControl REST API.", "narrative": "CVE-2022-1388 is a critical vulnerability (CVSS 9.8) in the management interface of F5 Networks'' BIG-IP solution that enables an unauthenticated attacker to gain remote code execution on the system through bypassing F5''s iControl REST authentication. The vulnerability was first discovered by F5''s internal product security team and disclosed publicly on May 4, 2022, per Randori. This vulnerability,CVE-2022-1388, may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only per F5 article K23605346. Is CVE-2022-1388 Exploitable? Yes. There are now multiple POC scripts available and reports of threat actors scanning and potentially exploiting the vulnerablity. Per Randori the specific interface needed to exploit this vulnerability is rarely publicly exposed, and the risk to most organizations of exploitation by an unauthenticated external actor is low.", "references": ["https://github.com/dk4trin/templates-nuclei/blob/main/CVE-2022-1388.yaml", "https://www.randori.com/blog/vulnerability-analysis-cve-2022-1388/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1388", "https://twitter.com/da_667/status/1523770267327250438?s=20&t=-JnB_aNWuJFsmcOmxGUWLQ", "https://github.com/horizon3ai/CVE-2022-1388/blob/main/CVE-2022-1388.py"], "tags": {"name": "F5 BIG-IP Vulnerability CVE-2022-1388", "analytic_story": "F5 BIG-IP Vulnerability CVE-2022-1388", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}], "mitre_attack_tactics": ["Initial Access", "Persistence"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery", "Installation"]}, "detection_names": ["ESCU - F5 BIG-IP iControl REST Vulnerability CVE-2022-1388 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "F5 BIG-IP iControl REST Vulnerability CVE-2022-1388", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}]}, {"name": "F5 TMUI RCE CVE-2020-5902", "author": "Shannon Davis, Splunk", "date": "2020-08-02", "version": 1, "id": "7678c968-d46e-11ea-87d0-0242ac130003", "description": "Uncover activity consistent with CVE-2020-5902. Discovered by Positive Technologies researchers, this vulnerability affects F5 BIG-IP, BIG-IQ. and Traffix SDC devices (vulnerable versions in F5 support link below). This vulnerability allows unauthenticated users, along with authenticated users, who have access to the configuration utility to execute system commands, create/delete files, disable services, and/or execute Java code.  This vulnerability can result in full system compromise.", "narrative": "A client is able to perform a remote code execution on an exposed and vulnerable system. The detection search in this Analytic Story uses syslog to detect the malicious behavior. Syslog is going to be the best detection method, as any systems using SSL to protect their management console will make detection via wire data difficult.  The searches included used Splunk Connect For Syslog (https://splunkbase.splunk.com/app/4740/), and used a custom destination port to help define the data as F5 data (covered in https://splunk-connect-for-syslog.readthedocs.io/en/master/sources/F5/)", "references": ["https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/", "https://support.f5.com/csp/article/K52145254", "https://blog.cloudflare.com/cve-2020-5902-helping-to-protect-against-the-f5-tmui-rce-vulnerability/"], "tags": {"name": "F5 TMUI RCE CVE-2020-5902", "analytic_story": "F5 TMUI RCE CVE-2020-5902", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": [], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - Detect F5 TMUI RCE CVE-2020-5902 - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Shannon Davis", "detections": [{"name": "Detect F5 TMUI RCE CVE-2020-5902", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}]}, {"name": "FIN7", "author": "Teoderick Contreras, Splunk", "date": "2021-09-14", "version": 1, "id": "df2b00d3-06ba-49f1-b253-b19cef19b569", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the FIN7 JS Implant and JSSLoader, including looking for Image Loading of ldap and wmi modules, associated with its payload, data collection and script execution.", "narrative": "FIN7 is a Russian criminal advanced persistent threat group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since mid-2015. A portion of FIN7 is run out of the front company Combi Security. It has been called one of the most successful criminal hacking groups in the world. this passed few day FIN7 tools and implant are seen in the wild where its code is updated. the FIN& is known to use the spear phishing attack as a entry to targetted network or host that will drop its staging payload like the JS and JSSloader. Now this artifacts and implants seen downloading other malware like cobaltstrike and event ransomware to encrypt host.", "references": ["https://en.wikipedia.org/wiki/FIN7", "https://threatpost.com/fin7-windows-11-release/169206/", "https://www.proofpoint.com/us/blog/threat-insight/jssloader-recoded-and-reloaded"], "tags": {"name": "FIN7", "analytic_story": "FIN7", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MoustachedBouncer", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059.005", "mitre_attack_technique": "Visual Basic", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT33", "APT37", "APT38", "APT39", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Earth Lusca", "FIN13", "FIN4", "FIN7", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "Transparent Tribe", "Turla", "WIRTE", "Windshift"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1134.004", "mitre_attack_technique": "Parent PID Spoofing", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1220", "mitre_attack_technique": "XSL Script Processing", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group", "Higaisa"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Discovery", "Execution", "Impact", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": ["Actions on Objectives", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Check Elevated CMD using whoami - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Jscript Execution Using Cscript App - Rule", "ESCU - MS Scripting Process Loading Ldap Module - Rule", "ESCU - MS Scripting Process Loading WMI Module - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Application Drop Executable - Rule", "ESCU - Office Product Spawning Wmic - Rule", "ESCU - Vbscript Execution Using Wscript App - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule", "ESCU - XSL Script Execution With WMIC - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Check Elevated CMD using whoami", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Owner/User Discovery"}]}}, {"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}}, {"name": "Jscript Execution Using Cscript App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}}, {"name": "MS Scripting Process Loading Ldap Module", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}}, {"name": "MS Scripting Process Loading WMI Module", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}}, {"name": "Office Application Drop Executable", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning Wmic", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Vbscript Execution Using Wscript App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "System Network Connections Discovery"}, {"mitre_attack_technique": "System Owner/User Discovery"}, {"mitre_attack_technique": "System Shutdown/Reboot"}, {"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Wscript Or Cscript Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Parent PID Spoofing"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}, {"name": "XSL Script Execution With WMIC", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "XSL Script Processing"}]}}]}, {"name": "Flax Typhoon", "author": "Michael Haag, Splunk", "date": "2023-08-25", "version": 1, "id": "78fadce9-a07f-4508-8d14-9b20052a62cc", "description": "Microsoft has identified a nation-state activity group, Flax Typhoon, based in China, targeting Taiwanese organizations for espionage. The group maintains long-term access to networks with minimal use of malware, relying on built-in OS tools and benign software. The group's activities are primarily focused on Taiwan, but the techniques used could be easily reused in other operations outside the region. Microsoft has not observed Flax Typhoon using this access to conduct additional actions.", "narrative": "Flax Typhoon has been active since mid-2021, targeting government agencies, education, critical manufacturing, and IT organizations in Taiwan. The group uses the China Chopper web shell, Metasploit, Juicy Potato privilege escalation tool, Mimikatz, and SoftEther VPN client. However, they primarily rely on living-off-the-land techniques and hands-on-keyboard activity. Initial access is achieved by exploiting known vulnerabilities in public-facing servers and deploying web shells. Following initial access, Flax Typhoon uses command-line tools to establish persistent access over the remote desktop protocol, deploy a VPN connection to actor-controlled network infrastructure, and collect credentials from compromised systems. The group also uses this VPN access to scan for vulnerabilities on targeted systems and organizations from the compromised systems.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/"], "tags": {"name": "Flax Typhoon", "analytic_story": "Flax Typhoon", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1197", "mitre_attack_technique": "BITS Jobs", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["APT39", "APT41", "Leviathan", "Patchwork", "Wizard Spider"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1546.008", "mitre_attack_technique": "Accessibility Features", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT3", "APT41", "Axiom", "Deep Panda", "Fox Kitten"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Defense Evasion", "Execution", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command And Control", "Exploitation", "Installation"]}, "detection_names": ["ESCU - BITSAdmin Download File - Rule", "ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Overwriting Accessibility Binaries - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows SQL Spawning CertUtil - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "BITSAdmin Download File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "BITS Jobs"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Overwriting Accessibility Binaries", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Accessibility Features"}]}}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}, {"name": "Windows Mimikatz Binary Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Windows SQL Spawning CertUtil", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}]}, {"name": "Forest Blizzard", "author": "Michael Haag, Splunk", "date": "2023-09-11", "version": 1, "id": "2c1aceda-f0a5-4c83-8543-e23ec1466958", "description": "CERT-UA has unveiled a cyberattack on Ukraine's energy infrastructure, orchestrated via deceptive emails. These emails, once accessed, lead to a multi-stage cyber operation downloading and executing malicious payloads. Concurrently, Zscaler's \"Steal-It\" campaign detection revealed striking similarities, hinting at a shared origin - APT28 or Fancy Bear. This notorious group, linked to Russia's GRU, utilizes legitimate platforms like Mockbin, making detection challenging. Their operations underline the evolving cyber threat landscape and stress the importance of advanced defenses.", "narrative": "APT28, also known as Fancy Bear, blends stealth and expertise in its cyber operations. Affiliated with Russia's GRU, their signature move involves spear-phishing emails, leading to multi-tiered cyberattacks. In Ukraine's recent breach, a ZIP archive's execution triggered a series of actions, culminating in information flow redirection via the TOR network. Simultaneously, Zscaler's \"Steal-It\" campaign pinpointed similar tactics, specifically targeting NTLMv2 hashes. This campaign used ZIP archives containing LNK files to exfiltrate data via Mockbin. APT28's hallmark is their \"Living Off The Land\" strategy, manipulating legitimate tools and services to blend in, evading detection. Their innovative tactics, coupled with a geofencing focus on specific regions, make them a formidable cyber threat, highlighting the urgent need for advanced defense strategies.", "references": ["https://cert.gov.ua/article/5702579", "https://www.zscaler.com/blogs/security-research/steal-it-campaign", "https://attack.mitre.org/groups/G0007/"], "tags": {"name": "Forest Blizzard", "analytic_story": "Forest Blizzard", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1140", "mitre_attack_technique": "Deobfuscate/Decode Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT39", "BRONZE BUTLER", "Darkhotel", "Earth Lusca", "FIN13", "Gamaredon Group", "Gorgon Group", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Molerats", "MuddyWater", "OilRig", "Rocke", "Sandworm Team", "TA505", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "WIRTE", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1564.003", "mitre_attack_technique": "Hidden Window", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "CopyKittens", "DarkHydrus", "Deep Panda", "Gamaredon Group", "Gorgon Group", "Higaisa", "Kimsuky", "Magic Hound", "Nomadic Octopus"]}], "mitre_attack_tactics": ["Command And Control", "Defense Evasion", "Execution"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command And Control", "Exploitation", "Installation"]}, "detection_names": ["ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - CertUtil With Decode Argument - Rule", "ESCU - CHCP Command Execution - Rule", "ESCU - Headless Browser Mockbin or Mocky Request - Rule", "ESCU - Headless Browser Usage - Rule", "ESCU - Windows Curl Download to Suspicious Path - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "CertUtil With Decode Argument", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Deobfuscate/Decode Files or Information"}]}}, {"name": "CHCP Command Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Headless Browser Mockbin or Mocky Request", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hidden Window"}]}}, {"name": "Headless Browser Usage", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hidden Window"}]}}, {"name": "Windows Curl Download to Suspicious Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}]}, {"name": "Fortinet FortiNAC CVE-2022-39952", "author": "Michael Haag, Splunk", "date": "2023-02-21", "version": 1, "id": "2833a527-3b7f-41af-a950-39f7bbaff819", "description": "On Thursday, 16 February 2023, Fortinet released a PSIRT that details CVE-2022-39952, a critical vulnerability affecting its FortiNAC product (Horizon3.ai).", "narrative": "This vulnerability, discovered by Gwendal Guegniaud of Fortinet, allows an unauthenticated attacker to write arbitrary files on the system and as a result obtain remote code execution in the context of the root user (Horizon3.ai). Impacting FortiNAC, is tracked as CVE-2022-39952 and has a CVSS v3 score of 9.8 (critical). FortiNAC is a network access control solution that helps organizations gain real time network visibility, enforce security policies, and detect and mitigate threats. An external control of file name or path vulnerability CWE-73 in FortiNAC webserver may allow an unauthenticated attacker to perform arbitrary write on the system, reads the security advisory.", "references": ["https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/", "https://viz.greynoise.io/tag/fortinac-rce-attempt?days=30", "https://www.bleepingcomputer.com/news/security/fortinet-fixes-critical-rce-flaws-in-fortinac-and-fortiweb/"], "tags": {"name": "Fortinet FortiNAC CVE-2022-39952", "analytic_story": "Fortinet FortiNAC CVE-2022-39952", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}], "mitre_attack_tactics": ["Initial Access", "Persistence"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery", "Installation"]}, "detection_names": ["ESCU - Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}]}, {"name": "GCP Account Takeover", "author": "Mauricio Velazco, Bhavin Patel, Splunk", "date": "2022-10-12", "version": 1, "id": "8601caff-414f-4c6d-9a04-75b66778869d", "description": "Monitor for activities and techniques associated with Account Takover attacks against Google Cloud Platform tenants.", "narrative": "Account Takeover (ATO) is an attack whereby cybercriminals gain unauthorized access to online accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. By posing as the real user, cyber-criminals can change account details, send out phishing emails, steal financial information or sensitive data, or use any stolen information to access further accounts within the organization. This analytic storic groups detections that can help security operations teams identify the potential compromise of Azure Active Directory accounts.", "references": ["https://cloud.google.com/gcp", "https://cloud.google.com/architecture/identity/overview-google-authentication", "https://attack.mitre.org/techniques/T1586/", "https://www.imperva.com/learn/application-security/account-takeover-ato/", "https://www.barracuda.com/glossary/account-takeover"], "tags": {"name": "GCP Account Takeover", "analytic_story": "GCP Account Takeover", "category": ["Account Compromise"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1556.006", "mitre_attack_technique": "Multi-Factor Authentication", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation", "Resource Development"], "datamodels": [], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"]}, "detection_names": ["ESCU - GCP Authentication Failed During MFA Challenge - Rule", "ESCU - GCP Multi-Factor Authentication Disabled - Rule", "ESCU - GCP Multiple Failed MFA Requests For User - Rule", "ESCU - GCP Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - GCP Successful Single-Factor Authentication - Rule", "ESCU - GCP Unusual Number of Failed Authentications From Ip - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Bhavin Patel, Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "GCP Authentication Failed During MFA Challenge", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}}, {"name": "GCP Multi-Factor Authentication Disabled", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}}, {"name": "GCP Multiple Failed MFA Requests For User", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}]}}, {"name": "GCP Multiple Users Failing To Authenticate From Ip", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}}, {"name": "GCP Successful Single-Factor Authentication", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}]}}, {"name": "GCP Unusual Number of Failed Authentications From Ip", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}}]}, {"name": "GCP Cross Account Activity", "author": "Rod Soto, Splunk", "date": "2020-09-01", "version": 1, "id": "0432039c-ef41-4b03-b157-450c25dad1e6", "description": "Track when a user assumes an IAM role in another GCP account to obtain cross-account access to services and resources in that account. Accessing new roles could be an indication of malicious activity.", "narrative": "Google Cloud Platform (GCP) admins manage access to GCP resources and services across the enterprise using GCP Identity and Access Management (IAM) functionality. IAM provides the ability to create and manage GCP users, groups, and roles-each with their own unique set of privileges and defined access to specific resources (such as Compute instances, the GCP Management Console, API, or the command-line interface). Unlike conventional (human) users, IAM roles are potentially assumable by anyone in the organization. They provide users with dynamically created temporary security credentials that expire within a set time period.\\\nIn between the time between when the temporary credentials are issued and when they expire is a period of opportunity, where a user could leverage the temporary credentials to wreak havoc-spin up or remove instances, create new users, elevate privileges, and other malicious activities-throughout the environment.\\\nThis Analytic Story includes searches that will help you monitor your GCP Audit logs logs for evidence of suspicious cross-account activity.  For example, while accessing multiple GCP accounts and roles may be perfectly valid behavior, it may be suspicious when an account requests privileges of an account it has not accessed in the past. After identifying suspicious activities, you can use the provided investigative searches to help you probe more deeply.", "references": ["https://cloud.google.com/iam/docs/understanding-service-accounts"], "tags": {"name": "GCP Cross Account Activity", "analytic_story": "GCP Cross Account Activity", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Email"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - GCP Detect gcploit framework - Rule", "ESCU - GCP Detect accounts with high risk roles by project - Rule", "ESCU - GCP Detect high risk permissions by resource and account - Rule", "ESCU - gcp detect oauth token abuse - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rod Soto", "detections": [{"name": "GCP Detect gcploit framework", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "GCP Detect accounts with high risk roles by project", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "GCP Detect high risk permissions by resource and account", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "gcp detect oauth token abuse", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}]}, {"name": "Graceful Wipe Out Attack", "author": "Teoderick Contreras, Splunk", "date": "2023-06-15", "version": 1, "id": "83b15b3c-6bda-45aa-a3b6-b05c52443f44", "description": "This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the destructive attack or campaign found by \"THE DFIR Report\" that uses Truebot, FlawedGrace and MBR killer malware. This analytic story looks for suspicious dropped files, cobalt strike execution, im-packet execution, registry modification, scripts, persistence, lateral movement, impact, exfiltration and recon.", "narrative": "Graceful Wipe Out Attack is a destructive malware campaign found by \"The DFIR Report\" targeting multiple organizations to collect, exfiltrate and wipe the data of targeted networks. This malicious payload corrupts or wipes Master Boot Records by using an NSIS script after the exfiltration of sensitive information from the targeted host or system.", "references": ["https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/"], "tags": {"name": "Graceful Wipe Out Attack", "analytic_story": "Graceful Wipe Out Attack", "category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN13", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1531", "mitre_attack_technique": "Account Access Removal", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "FIN13", "TA505"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "FIN7", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla", "Volt Typhoon"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1127.001", "mitre_attack_technique": "MSBuild", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1055.002", "mitre_attack_technique": "Portable Executable Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Gorgon Group", "Rocke"]}, {"mitre_attack_id": "T1561.002", "mitre_attack_technique": "Disk Structure Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1561", "mitre_attack_technique": "Disk Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}], "mitre_attack_tactics": ["Collection", "Credential Access", "Defense Evasion", "Discovery", "Execution", "Impact", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Anomalous usage of 7zip - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - CMD Echo Pipe - Escalation - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Deleting Of Net Users - Rule", "ESCU - Detect Regsvr32 Application Control Bypass - Rule", "ESCU - DLLHost with no Command Line Arguments with Network - Rule", "ESCU - Domain Account Discovery With Net App - Rule", "ESCU - Domain Group Discovery With Net - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - GPUpdate with no Command Line Arguments with Network - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Rundll32 with no Command Line Arguments with Network - Rule", "ESCU - SAM Database File Access Attempt - Rule", "ESCU - SearchProtocolHost with no Command Line with Network - Rule", "ESCU - SecretDumps Offline NTDS Dumping Tool - Rule", "ESCU - Services Escalate Exe - Rule", "ESCU - Suspicious DLLHost no Command Line Arguments - Rule", "ESCU - Suspicious GPUpdate no Command Line Arguments - Rule", "ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", "ESCU - Suspicious Rundll32 StartW - Rule", "ESCU - Suspicious SearchProtocolHost no Command Line Arguments - Rule", "ESCU - Windows AdFind Exe - Rule", "ESCU - Windows Process Injection Remote Thread - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Windows Service Stop By Deletion - Rule", "ESCU - Windows Service Stop Via Net  and SC Application - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Anomalous usage of 7zip", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}}, {"name": "Attempt To Stop Security Service", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "CMD Echo Pipe - Escalation", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Cobalt Strike Named Pipes", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Deleting Of Net Users", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Access Removal"}]}}, {"name": "Detect Regsvr32 Application Control Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "DLLHost with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Domain Account Discovery With Net App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Domain Group Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Access Removal"}]}}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "GPUpdate with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}}, {"name": "Remote WMI Command Attempt", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Rundll32 with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "SAM Database File Access Attempt", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "SearchProtocolHost with no Command Line with Network", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "SecretDumps Offline NTDS Dumping Tool", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Services Escalate Exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Suspicious DLLHost no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Suspicious GPUpdate no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Suspicious microsoft workflow compiler rename", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Suspicious msbuild path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}}, {"name": "Suspicious MSBuild Rename", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious Rundll32 no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Suspicious Rundll32 StartW", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Suspicious SearchProtocolHost no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Windows AdFind Exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Windows Process Injection Remote Thread", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Portable Executable Injection"}]}}, {"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}}, {"name": "Windows Service Stop By Deletion", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Windows Service Stop Via Net  and SC Application", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}]}, {"name": "HAFNIUM Group", "author": "Michael Haag, Splunk", "date": "2021-03-03", "version": 1, "id": "beae2ab0-7c3f-11eb-8b63-acde48001122", "description": "HAFNIUM group was identified by Microsoft as exploiting 4 Microsoft Exchange CVEs in the wild - CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.", "narrative": "On Tuesday, March 2, 2021, Microsoft released a set of security patches for its mail server, Microsoft Exchange. These patches respond to a group of vulnerabilities known to impact Exchange 2013, 2016, and 2019. It is important to note that an Exchange 2010 security update has also been issued, though the CVEs do not reference that version as being vulnerable.\\\nWhile the CVEs do not shed much light on the specifics of the vulnerabilities or exploits, the first vulnerability (CVE-2021-26855) has a remote network attack vector that allows the attacker, a group Microsoft named HAFNIUM, to authenticate as the Exchange server. Three additional vulnerabilities (CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) were also identified as part of this activity. When chained together along with CVE-2021-26855 for initial access, the attacker would have complete control over the Exchange server. This includes the ability to run code as SYSTEM and write to any path on the server.\\\nThe following Splunk detections assist with identifying the HAFNIUM groups tradecraft and methodology.", "references": ["https://www.splunk.com/en_us/blog/security/detecting-hafnium-exchange-server-zero-day-activity-in-splunk.html", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day/"], "tags": {"name": "HAFNIUM Group", "analytic_story": "HAFNIUM Group", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}, {"mitre_attack_id": "T1114.002", "mitre_attack_technique": "Remote Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "Chimera", "Dragonfly", "FIN4", "HAFNIUM", "Ke3chang", "Kimsuky", "Leafminer", "Magic Hound"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "Dragonfly", "FIN13", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT", "Wizard Spider"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Volt Typhoon", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Collection", "Command And Control", "Credential Access", "Execution", "Initial Access", "Lateral Movement", "Persistence"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Command And Control", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Email servers sending high volume traffic to hosts - Rule", "ESCU - Dump LSASS via procdump Rename - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - Detect Exchange Web Shell - Rule", "ESCU - Detect New Local Admin account - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Dump LSASS via procdump - Rule", "ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule", "ESCU - Nishang PowershellTCPOneLine - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - W3WP Spawning Shell - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Email servers sending high volume traffic to hosts", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Email Collection"}, {"mitre_attack_technique": "Remote Email Collection"}]}}, {"name": "Dump LSASS via procdump Rename", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}]}}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Detect Exchange Web Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Detect New Local Admin account", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Dump LSASS via procdump", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Malicious PowerShell Process - Execution Policy Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Nishang PowershellTCPOneLine", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Ntdsutil Export NTDS", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}]}, {"name": "Hermetic Wiper", "author": "Teoderick Contreras, Rod Soto, Michael Haag, Splunk", "date": "2022-03-02", "version": 1, "id": "b7511c2e-9a10-11ec-99e3-acde48001122", "description": "This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the destructive malware targeting Ukrainian organizations also known as \"Hermetic Wiper\". This analytic story looks for abuse of Regsvr32, executables written in administrative SMB Share, suspicious processes, disabling of memory crash dump and more.", "narrative": "Hermetic Wiper is destructive malware operation found by Sentinel One targeting multiple organizations in Ukraine. This malicious payload corrupts Master Boot Records, uses signed drivers and manipulates NTFS attributes for file destruction.", "references": ["https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/", "https://www.cisa.gov/uscert/ncas/alerts/aa22-057a"], "tags": {"name": "Hermetic Wiper", "analytic_story": "Hermetic Wiper", "category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1547.014", "mitre_attack_technique": "Active Setup", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1562.006", "mitre_attack_technique": "Indicator Blocking", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1037", "mitre_attack_technique": "Boot or Logon Initialization Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "Rocke"]}, {"mitre_attack_id": "T1037.001", "mitre_attack_technique": "Logon Script (Windows)", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "Cobalt Group"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1546.008", "mitre_attack_technique": "Accessibility Features", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT3", "APT41", "Axiom", "Deep Panda", "Fox Kitten"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1021.006", "mitre_attack_technique": "Windows Remote Management", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Chimera", "FIN13", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1218.014", "mitre_attack_technique": "MMC", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1027.005", "mitre_attack_technique": "Indicator Removal from Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT3", "Deep Panda", "GALLIUM", "OilRig", "Patchwork", "TEMP.Veles", "Turla"]}, {"mitre_attack_id": "T1546.015", "mitre_attack_technique": "Component Object Model Hijacking", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1547.012", "mitre_attack_technique": "Print Processors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1546.012", "mitre_attack_technique": "Image File Execution Options Injection", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["TEMP.Veles"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1134.001", "mitre_attack_technique": "Token Impersonation/Theft", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "FIN8"]}, {"mitre_attack_id": "T1546.002", "mitre_attack_technique": "Screensaver", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1547.003", "mitre_attack_technique": "Time Providers", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1561.002", "mitre_attack_technique": "Disk Structure Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1561", "mitre_attack_technique": "Disk Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Defense Evasion", "Execution", "Impact", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Email", "Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - Email Attachments With Lots Of Spaces - Rule", "ESCU - Suspicious Email Attachment Extensions - Rule", "ESCU - Suspicious Powershell Command-Line Arguments - Rule", "ESCU - Uncommon Processes On Endpoint - Rule", "ESCU - Active Setup Registry Autostart - Rule", "ESCU - Any Powershell DownloadFile - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - Change Default File Association - Rule", "ESCU - Child Processes of Spoolsv exe - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Detect Empire with PowerShell Script Block Logging - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Kerberoasting spn request with RC4 encryption - Rule", "ESCU - Linux Java Spawning Shell - Rule", "ESCU - Logon Script Event Trigger Execution - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Malicious PowerShell Process With Obfuscation Techniques - Rule", "ESCU - MSI Module Loaded by Non-System Binary - Rule", "ESCU - Overwriting Accessibility Binaries - Rule", "ESCU - Possible Lateral Movement PowerShell Spawn - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - PowerShell Domain Enumeration - Rule", "ESCU - Powershell Enable SMB1Protocol Feature - Rule", "ESCU - Powershell Execute COM Object - Rule", "ESCU - Powershell Fileless Process Injection via GetProcAddress - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Powershell Processing Stream Of Data - Rule", "ESCU - Powershell Using memory As Backing Store - Rule", "ESCU - Print Processor Registry Autostart - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Runas Execution in CommandLine - Rule", "ESCU - Screensaver Event Trigger Execution - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Time Provider Persistence Registry - Rule", "ESCU - Unloading AMSI via Reflection - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows Disable Memory Crash Dump - Rule", "ESCU - Windows File Without Extension In Critical Folder - Rule", "ESCU - Windows Modify Show Compress Color And Info Tip Registry - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - WMI Recon Running Process Or Services - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto, Michael Haag, Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Email Attachments With Lots Of Spaces", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Suspicious Email Attachment Extensions", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Suspicious Powershell Command-Line Arguments", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}]}}, {"name": "Uncommon Processes On Endpoint", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Malicious File"}]}}, {"name": "Active Setup Registry Autostart", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Active Setup"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Change Default File Association", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Change Default File Association"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Child Processes of Spoolsv exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Detect Empire with PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "ETW Registry Disabled", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Blocking"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Kerberoasting spn request with RC4 encryption", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "Linux Java Spawning Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Logon Script Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Boot or Logon Initialization Scripts"}, {"mitre_attack_technique": "Logon Script (Windows)"}]}}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}}, {"name": "Malicious PowerShell Process With Obfuscation Techniques", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "MSI Module Loaded by Non-System Binary", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Overwriting Accessibility Binaries", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Accessibility Features"}]}}, {"name": "Possible Lateral Movement PowerShell Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Remote Management"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "MMC"}]}}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "PowerShell Domain Enumeration", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Enable SMB1Protocol Feature", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "Indicator Removal from Tools"}]}}, {"name": "Powershell Execute COM Object", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Component Object Model Hijacking"}, {"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Fileless Process Injection via GetProcAddress", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Processing Stream Of Data", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Using memory As Backing Store", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Print Processor Registry Autostart", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}]}}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Registry Keys Used For Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Image File Execution Options Injection"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Runas Execution in CommandLine", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Access Token Manipulation"}, {"mitre_attack_technique": "Token Impersonation/Theft"}]}}, {"name": "Screensaver Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Screensaver"}]}}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Time Provider Persistence Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Time Providers"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Unloading AMSI via Reflection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}, {"name": "Windows Disable Memory Crash Dump", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Windows File Without Extension In Critical Folder", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Windows Modify Show Compress Color And Info Tip Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}}, {"name": "WMI Recon Running Process Or Services", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}]}}]}, {"name": "Hidden Cobra Malware", "author": "Rico Valdez, Splunk", "date": "2020-01-22", "version": 2, "id": "baf7580b-d4b4-4774-8173-7d198e9da335", "description": "Monitor for and investigate activities, including the creation or deletion of hidden shares and file writes, that may be evidence of infiltration by North Korean government-sponsored cybercriminals. Details of this activity were reported in DHS Report TA-18-149A.", "narrative": "North Korea's government-sponsored \"cyber army\" has been slowly building momentum and gaining sophistication over the last 15 years or so. As a result, the group's activity, which the US government refers to as \"Hidden Cobra,\" has surreptitiously crept onto the collective radar as a preeminent global threat.\\\nThese state-sponsored actors are thought to be responsible for everything from a hack on a South Korean nuclear plant to an attack on Sony in anticipation of its release of the movie \"The Interview\" at the end of 2014. They're also notorious for cyberespionage. In recent years, the group seems to be focused on financial crimes, such as cryptojacking.\\\nIn June of 2018, The Department of Homeland Security, together with the FBI and other U.S. government partners, issued Technical Alert (TA-18-149A) to advise the public about two variants of North Korean malware. One variant, dubbed \"Joanap,\" is a multi-stage peer-to-peer botnet that allows North Korean state actors to exfiltrate data, download and execute secondary payloads, and initialize proxy communications. The other variant, \"Brambul,\" is a Windows32 SMB worm that is dropped into a victim network. When executed, the malware attempts to spread laterally within a victim's local subnet, connecting via the SMB protocol and initiating brute-force password attacks. It reports details to the Hidden Cobra actors via email, so they can use the information for secondary remote operations.\\\nAmong other searches in this Analytic Story is a detection search that looks for the creation or deletion of hidden shares, such as, \"adnim$,\" which the Hidden Cobra malware creates on the target system. Another looks for the creation of three malicious files associated with the malware. You can also use a search in this story to investigate activity that indicates that malware is sending email back to the attackers.", "references": ["https://web.archive.org/web/20191220004307/https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity", "https://web.archive.org/web/20220421112536/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf"], "tags": {"name": "Hidden Cobra Malware", "analytic_story": "Hidden Cobra Malware", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1070.005", "mitre_attack_technique": "Network Share Connection Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Threat Group-3390"]}, {"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1071.002", "mitre_attack_technique": "File Transfer Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Dragonfly", "Kimsuky", "SilverTerrier"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Magic Hound", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1071.004", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT39", "APT41", "Chimera", "Cobalt Group", "FIN7", "Ke3chang", "LazyScripter", "OilRig", "Tropic Trooper"]}, {"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}], "mitre_attack_tactics": ["Command And Control", "Defense Evasion", "Execution", "Exfiltration", "Lateral Movement"], "datamodels": ["Endpoint", "Network_Resolution", "Network_Traffic"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Exploitation", "Installation"]}, "detection_names": ["ESCU - First time seen command line argument - Rule", "ESCU - Suspicious File Write - Rule", "ESCU - Create or delete windows shares using net exe - Rule", "ESCU - Remote Desktop Process Running On System - Rule", "ESCU - Detect Outbound SMB Traffic - Rule", "ESCU - DNS Query Length Outliers - MLTK - Rule", "ESCU - DNS Query Length With High Standard Deviation - Rule", "ESCU - Remote Desktop Network Traffic - Rule", "ESCU - SMB Traffic Spike - Rule", "ESCU - SMB Traffic Spike - MLTK - Rule"], "investigation_names": ["ESCU - Get DNS Server History for a host - Response Task", "ESCU - Get DNS traffic ratio - Response Task", "ESCU - Get History Of Email Sources - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Outbound Emails to Hidden Cobra Threat Actors - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Process Information For Port Activity - Response Task", "ESCU - Get Process Responsible For The DNS Traffic - Response Task", "ESCU - Investigate Successful Remote Desktop Authentications - Response Task"], "baseline_names": ["ESCU - Baseline of DNS Query Length - MLTK", "ESCU - Baseline of SMB Traffic - MLTK", "ESCU - Identify Systems Creating Remote Desktop Traffic", "ESCU - Identify Systems Receiving Remote Desktop Traffic", "ESCU - Identify Systems Using Remote Desktop", "ESCU - Previously seen command line arguments"], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "First time seen command line argument", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Windows Command Shell"}]}}, {"name": "Suspicious File Write", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Create or delete windows shares using net exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Network Share Connection Removal"}]}}, {"name": "Remote Desktop Process Running On System", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "Detect Outbound SMB Traffic", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File Transfer Protocols"}, {"mitre_attack_technique": "Application Layer Protocol"}]}}, {"name": "DNS Query Length Outliers - MLTK", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DNS"}, {"mitre_attack_technique": "Application Layer Protocol"}]}}, {"name": "DNS Query Length With High Standard Deviation", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Remote Desktop Network Traffic", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "SMB Traffic Spike", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "SMB Traffic Spike - MLTK", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Remote Services"}]}}]}, {"name": "IIS Components", "author": "Michael Haag, Splunk", "date": "2022-12-19", "version": 1, "id": "0fbde550-8252-43ab-a26a-03976f55b58b", "description": "Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence.", "narrative": "IIS provides several mechanisms to extend the functionality of the web servers. For example, Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. Extensions and filters are deployed as DLL files that export three functions - Get{Extension/Filter}Version, Http{Extension/Filter}Proc, and (optionally) Terminate{Extension/Filter}. IIS modules may also be installed to extend IIS web servers.\\\nAdversaries may install malicious ISAPI extensions and filters to observe and/or modify traffic, execute commands on compromised machines, or proxy command and control traffic. ISAPI extensions and filters may have access to all IIS web requests and responses. For example, an adversary may abuse these mechanisms to modify HTTP responses in order to distribute malicious commands/content to previously comprised hosts.\\\nAdversaries may also install malicious IIS modules to observe and/or modify traffic. IIS 7.0 introduced modules that provide the same unrestricted access to HTTP requests and responses as ISAPI extensions and filters. IIS modules can be written as a DLL that exports RegisterModule, or as a .NET application that interfaces with ASP.NET APIs to access IIS HTTP requests. (reference MITRE)", "references": ["https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://attack.mitre.org/techniques/T1505/004/", "https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework-1.pdf", "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://www.secureworks.com/research/bronze-union", "https://strontic.github.io/xcyclopedia/library/appcmd.exe-055B2B09409F980BF9B5A3969D01E5B2.html"], "tags": {"name": "IIS Components", "analytic_story": "IIS Components", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.002", "mitre_attack_technique": "Disable Windows Event Logging", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound", "Threat Group-3390"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1505.004", "mitre_attack_technique": "IIS Components", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "datamodels": ["Endpoint", "Web"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Windows Disable Windows Event Logging Disable HTTP Logging - Rule", "ESCU - Windows IIS Components Add New Module - Rule", "ESCU - Windows IIS Components Get-WebGlobalModule Module Query - Rule", "ESCU - Windows IIS Components Module Failed to Load - Rule", "ESCU - Windows IIS Components New Module Added - Rule", "ESCU - Windows PowerShell Add Module to Global Assembly Cache - Rule", "ESCU - Windows PowerShell Disable HTTP Logging - Rule", "ESCU - Windows PowerShell IIS Components WebGlobalModule Usage - Rule", "ESCU - Windows Server Software Component GACUtil Install to GAC - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Disable Windows Event Logging Disable HTTP Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable Windows Event Logging"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}}, {"name": "Windows IIS Components Add New Module", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}}, {"name": "Windows IIS Components Get-WebGlobalModule Module Query", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "IIS Components"}, {"mitre_attack_technique": "Server Software Component"}]}}, {"name": "Windows IIS Components Module Failed to Load", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}}, {"name": "Windows IIS Components New Module Added", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}}, {"name": "Windows PowerShell Add Module to Global Assembly Cache", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}}, {"name": "Windows PowerShell Disable HTTP Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Disable Windows Event Logging"}, {"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}}, {"name": "Windows PowerShell IIS Components WebGlobalModule Usage", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}}, {"name": "Windows Server Software Component GACUtil Install to GAC", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}}]}, {"name": "Industroyer2", "author": "Teoderick Contreras, Splunk", "date": "2022-04-21", "version": 1, "id": "7ff7db2b-b001-498e-8fe8-caf2dbc3428a", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Industroyer2 attack, including file writes associated with its payload, lateral movement, persistence, privilege escalation and data destruction.", "narrative": "Industroyer2 is part of continuous attack to ukraine targeting energy facilities. This malware is a windows binary that implement IEC-104 protocol to communicate with industrial equipments. This attack consist of several destructive linux script component to wipe or delete several linux critical files, powershell for domain enumeration and caddywiper to wipe boot sector of the targeted host.", "references": ["https://cert.gov.ua/article/39518", "https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/"], "tags": {"name": "Industroyer2", "analytic_story": "Industroyer2", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1053.003", "mitre_attack_technique": "Cron", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT38", "Rocke"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TEMP.Veles", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "TEMP.Veles", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Discovery", "Execution", "Impact", "Lateral Movement", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - AdsiSearcher Account Discovery - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux DD File Overwrite - Rule", "ESCU - Linux Deleting Critical Directory Using RM Command - Rule", "ESCU - Linux Disable Services - Rule", "ESCU - Linux High Frequency Of File Deletion In Boot Folder - Rule", "ESCU - Linux Shred Overwrite Command - Rule", "ESCU - Linux Stdout Redirection To Dev Null File - Rule", "ESCU - Linux Stop Services - Rule", "ESCU - Linux System Network Discovery - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Hidden Schedule Task Settings - Rule", "ESCU - Windows Linked Policies In ADSI Discovery - Rule", "ESCU - Windows Processes Killed By Industroyer2 Malware - Rule", "ESCU - Windows Root Domain linked policies Discovery - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "AdsiSearcher Account Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Attempted Credential Dump From Registry via Reg exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux DD File Overwrite", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Linux Deleting Critical Directory Using RM Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Linux Disable Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Linux High Frequency Of File Deletion In Boot Folder", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Linux Shred Overwrite Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Linux Stdout Redirection To Dev Null File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Linux Stop Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Linux System Network Discovery", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Configuration Discovery"}]}}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Schtasks Run Task On Demand", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Windows Hidden Schedule Task Settings", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Windows Linked Policies In ADSI Discovery", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Windows Processes Killed By Industroyer2 Malware", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Windows Root Domain linked policies Discovery", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}]}, {"name": "Information Sabotage", "author": "Teoderick Contreras, Splunk", "date": "2021-11-17", "version": 1, "id": "b71ba595-ef80-4e39-8b66-887578a7a71b", "description": "Leverage searches that allow you to detect and investigate unusual activities that might correlate to insider threat specially in terms of information sabotage.", "narrative": "Information sabotage is the type of crime many people associate with insider threat. Where the current or former employees, contractors, or business partners intentionally exceeded or misused an authorized level of access to networks, systems, or data with the intention of harming a specific individual, the organization, or the organization's data, systems, and/or daily business operations.", "references": ["https://insights.sei.cmu.edu/blog/insider-threat-deep-dive-it-sabotage/"], "tags": {"name": "Information Sabotage", "analytic_story": "Information Sabotage", "category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud", "Splunk Behavioral Analytics"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1537", "mitre_attack_technique": "Transfer Data to Cloud Account", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Exfiltration"], "datamodels": [], "kill_chain_phases": ["Actions on Objectives"]}, "detection_names": ["ESCU - High Frequency Copy Of Files In Network Share - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "High Frequency Copy Of Files In Network Share", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}}]}, {"name": "Ingress Tool Transfer", "author": "Michael Haag, Splunk", "date": "2021-03-24", "version": 1, "id": "b3782036-8cbd-11eb-9d8e-acde48001122", "description": "Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the Command And Control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP.", "narrative": "Ingress tool transfer is a Technique under tactic Command And Control. Behaviors will include the use of living off the land binaries to download implants or binaries over alternate communication ports. It is imperative to baseline applications on endpoints to understand what generates network activity, to where, and what is its native behavior. These utilities, when abused, will write files to disk in world writeable paths.\\ During triage, review the reputation of the remote public destination IP or domain. Capture any files written to disk and perform analysis. Review other parrallel processes for additional behaviors.", "references": ["https://attack.mitre.org/techniques/T1105/"], "tags": {"name": "Ingress Tool Transfer", "analytic_story": "Ingress Tool Transfer", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1197", "mitre_attack_technique": "BITS Jobs", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["APT39", "APT41", "Leviathan", "Patchwork", "Wizard Spider"]}, {"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "MoustachedBouncer", "POLONIUM", "Sandworm Team", "Turla", "Volt Typhoon", "Windigo"]}, {"mitre_attack_id": "T1095", "mitre_attack_technique": "Non-Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT3", "BITTER", "BackdoorDiplomacy", "FIN6", "HAFNIUM", "Metador", "PLATINUM"]}], "mitre_attack_tactics": ["Collection", "Command And Control", "Credential Access", "Defense Evasion", "Execution", "Persistence"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command And Control", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Any Powershell DownloadFile - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - BITSAdmin Download File - Rule", "ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - CertUtil Download With VerifyCtl and Split Arguments - Rule", "ESCU - Curl Download and Bash Execution - Rule", "ESCU - Detect Certify Command Line Arguments - Rule", "ESCU - Detect Certipy File Modifications - Rule", "ESCU - Linux Curl Upload File - Rule", "ESCU - Linux Ingress Tool Transfer Hunting - Rule", "ESCU - Linux Ingress Tool Transfer with Curl - Rule", "ESCU - Linux Proxy Socks Curl - Rule", "ESCU - Suspicious Curl Network Connection - Rule", "ESCU - Wget Download and Bash Execution - Rule", "ESCU - Windows Curl Download to Suspicious Path - Rule", "ESCU - Windows Curl Upload to Remote Destination - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "BITSAdmin Download File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "BITS Jobs"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "CertUtil Download With VerifyCtl and Split Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Curl Download and Bash Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Detect Certify Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Detect Certipy File Modifications", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}, {"mitre_attack_technique": "Archive Collected Data"}]}}, {"name": "Linux Curl Upload File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Linux Ingress Tool Transfer Hunting", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Linux Ingress Tool Transfer with Curl", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Linux Proxy Socks Curl", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Non-Application Layer Protocol"}]}}, {"name": "Suspicious Curl Network Connection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Wget Download and Bash Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Windows Curl Download to Suspicious Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Windows Curl Upload to Remote Destination", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}]}, {"name": "Insider Threat", "author": "Jose Hernandez, Splunk", "date": "2022-05-19", "version": 1, "id": "c633df29-a950-4c4c-a0f8-02be6730797c", "description": "Monitor for activities and techniques associated with insider threats and specifically focusing on malicious insiders operating with in a corporate environment.", "narrative": "Insider Threats are best defined by CISA: \"Insider threat incidents are possible in any sector or organization. An insider threat is typically a current or former employee, third-party contractor, or business partner. In their present or former role, the person has or had access to an organization's network systems, data, or premises, and uses their access (sometimes unwittingly). To combat the insider threat, organizations can implement a proactive, prevention-focused mitigation program to detect and identify threats, assess risk, and manage that risk - before an incident occurs.\" An insider is any person who has or had authorized access to or knowledge of an organization's resources, including personnel, facilities, information, equipment, networks, and systems. These are the common insiders that create insider threats: Departing Employees, Security Evaders, Malicious Insiders, and Negligent Employees. This story aims at detecting the malicious insider.", "references": ["https://www.imperva.com/learn/application-security/insider-threats/", "https://www.cisa.gov/defining-insider-threats", "https://www.code42.com/glossary/types-of-insider-threats/", "https://github.com/Insider-Threat/Insider-Threat", "https://ctid.mitre-engenuity.org/our-work/insider-ttp-kb/"], "tags": {"name": "Insider Threat", "analytic_story": "Insider Threat", "category": ["Adversary Tactics", "Account Compromise", "Lateral Movement", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud", "Splunk Behavioral Analytics"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1567.002", "mitre_attack_technique": "Exfiltration to Cloud Storage", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["Chimera", "Confucius", "Earth Lusca", "FIN7", "HAFNIUM", "HEXANE", "Kimsuky", "Leviathan", "LuminousMoth", "POLONIUM", "Threat Group-3390", "Turla", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1567", "mitre_attack_technique": "Exfiltration Over Web Service", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT28", "Magic Hound"]}, {"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1537", "mitre_attack_technique": "Transfer Data to Cloud Account", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1078.003", "mitre_attack_technique": "Local Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "FIN10", "HAFNIUM", "Kimsuky", "PROMETHIUM", "Tropic Trooper", "Turla"]}, {"mitre_attack_id": "T1552.001", "mitre_attack_technique": "Credentials In Files", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "FIN13", "Fox Kitten", "Kimsuky", "Leafminer", "MuddyWater", "OilRig", "TA505", "TeamTNT"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1219", "mitre_attack_technique": "Remote Access Software", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Carbanak", "Cobalt Group", "DarkVishnya", "Evilnum", "FIN7", "GOLD SOUTHFIELD", "Kimsuky", "MuddyWater", "Mustang Panda", "RTM", "Sandworm Team", "TeamTNT", "Thrip"]}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Defense Evasion", "Exfiltration", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Authentication", "Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Gsuite Drive Share In External Email - Rule", "ESCU - Gsuite Outbound Email With Attachment To External Domain - Rule", "ESCU - High Frequency Copy Of Files In Network Share - Rule", "ESCU - Potential password in username - Rule", "ESCU - Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials - Rule", "ESCU - Windows Multiple Users Failed To Authenticate From Process - Rule", "ESCU - Windows Remote Access Software Hunt - Rule", "ESCU - Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials - Rule", "ESCU - Windows Unusual Count Of Users Failed To Authenticate From Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Jose Hernandez", "detections": [{"name": "Gsuite Drive Share In External Email", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration to Cloud Storage"}, {"mitre_attack_technique": "Exfiltration Over Web Service"}]}}, {"name": "Gsuite Outbound Email With Attachment To External Domain", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "High Frequency Copy Of Files In Network Share", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}}, {"name": "Potential password in username", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Local Accounts"}, {"mitre_attack_technique": "Credentials In Files"}]}}, {"name": "Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Users Failed To Authenticate From Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Remote Access Software Hunt", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Access Software"}]}}, {"name": "Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Users Failed To Authenticate From Process", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}]}, {"name": "Ivanti EPMM Remote Unauthenticated Access", "author": "Michael Haag, Splunk", "date": "2023-08-08", "version": 2, "id": "7e36ca54-c096-4a39-b724-6fc935164f0c", "description": "Ivanti, a leading technology company, has disclosed two critical zero-day vulnerabilities in its Endpoint Manager Mobile (EPMM) product, CVE-2023-35078 and CVE-2023-35081. A recent update concerning CVE-2023-35082, closely related to CVE-2023-35078, reveals its impact on more versions of Ivanti's software than initially believed. The former allows unauthenticated attackers to obtain sensitive data, modify servers, and access the API, potentially leading to data breaches or malicious system modifications. Meanwhile, CVE-2023-35081 lets authenticated administrators remotely write arbitrary files to the server. Both vulnerabilities have been exploited in targeted attacks against government ministries and could be used in conjunction. With the presence of PoC code for CVE-2023-35078, the risk of broader exploitation has increased. While initially leveraged in limited attacks, the exploitation is expected to rise, possibly involving state-sponsored actors. Organizations are urged to apply immediate patches and conduct regular system assessments to ensure security.", "narrative": "Ivantis Endpoint Manager Mobile (EPMM) product, formerly known as MobileIron Core and extensively utilized by IT teams to manage mobile devices, applications, and content, has been found to harbor several critical vulnerabilities. Specifically, CVE-2023-35078 allows remote unauthenticated attackers to access sensitive data and make changes to servers. This flaw has been leveraged in targeted attacks against Norwegian government ministries. In addition, CVE-2023-35081 permits an authenticated attacker with administrative privileges to remotely write arbitrary files to the server. \\\nRecently, attention has shifted to CVE-2023-35082, which was initially believed to affect only MobileIron Core 11.2 and below. Subsequent investigations revealed its wider influence, affecting EPMM versions 11.10, 11.9, 11.8, and MobileIron Core 11.7 and earlier. This vulnerability facilitates unauthorized access to the API via the URI path /mifs/asfV3/api/v2/. \\\nWhen combined, these vulnerabilities can be exploited to bypass administrative authentication and access control list (ACL) restrictions, leading to malicious file writing and potential OS command execution. Both have been actively exploited, possibly by state-sponsored actors, prompting urgent advisories from Ivanti and Rapid7, alongside CISA. Given the thousands of potentially vulnerable internet-exposed systems and the presence of PoC code for CVE-2023-35078, the risk of extensive exploitation escalates. The situation is further muddled by Ivanti's 2020 acquisition of MobileIron, which had its known issues. Collectively, these vulnerabilities present a significant risk to organizations utilizing Ivanti's EPMM, emphasizing the need for swift patching, vigilant monitoring, and timely application of fixes to counteract potential threats.", "references": ["https://www.securityweek.com/second-ivanti-epmm-zero-day-vulnerability-exploited-in-targeted-attacks/", "https://www.cisa.gov/news-events/alerts/2023/07/28/ivanti-releases-security-updates-epmm-address-cve-2023-35081", "https://nvd.nist.gov/vuln/detail/CVE-2023-35078", "https://forums.ivanti.com/s/article/CVE-2023-35078-Remote-unauthenticated-API-access-vulnerability?language=en_US"], "tags": {"name": "Ivanti EPMM Remote Unauthenticated Access", "analytic_story": "Ivanti EPMM Remote Unauthenticated Access", "category": ["Vulnerability", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}], "mitre_attack_tactics": ["Initial Access", "Persistence"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery", "Installation"]}, "detection_names": ["ESCU - Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078 - Rule", "ESCU - Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}]}, {"name": "Ivanti Sentry Authentication Bypass CVE-2023-38035", "author": "Michael Haag, Splunk", "date": "2023-08-24", "version": 1, "id": "da229be2-4637-47a5-b551-1d4b64f411c6", "description": "A critical vulnerability, designated as CVE-2023-38035, has been identified in Ivanti Sentry (formerly MobileIron Sentry). It affects all supported versions, including 9.18, 9.17, and 9.16, as well as older versions. The vulnerability allows an unauthenticated attacker to access the System Manager Portal (typically hosted on port 8443) and make configuration changes, potentially executing OS commands as root. However, the risk is low for users who haven't exposed port 8443 online. This flaw is distinct from other Ivanti products. It's imperative for organizations to check for unrecognized HTTP requests to /services/* as a potential indicator of compromise.", "narrative": "CVE-2023-38035 presents a significant security risk in the Ivanti Sentry administration interface. The vulnerability was identified shortly after another notable vulnerability in Ivanti EPMM (CVE-2023-35078) was discovered being exploited in the wild. The current vulnerability allows a malicious actor, without requiring authentication, to access the System Manager Portal, typically hosted on port 8443. Upon successful exploitation, the attacker can make configuration alterations to both the Sentry system and its underlying OS. The potential damage is significant, enabling the attacker to execute commands on the system with root privileges. \\\nWhile this vulnerability scored high on the CVSS scale, its risk is relatively mitigated for clients who have not exposed port 8443 to the internet. The primary exploitation vector is the System Manager Portal, an administrative interface for Sentry. \\\nAs of now, definitive indicators of compromise (IoCs) are elusive. However, any unexpected HTTP requests to the endpoint /services/* could be a red flag. It's worth noting that the exploited endpoint might not be the sole vulnerable point, suggesting other potential gateways for attackers. Ivanti Sentry's system doesn't provide a typical Unix shell, but in the event of a known system breach, the /var/log/tomcat2/ directory contains access logs that may reveal accessed endpoints. Additionally, web interface logs may provide insights into suspicious activities and should be monitored closely.", "references": ["https://github.com/horizon3ai/CVE-2023-38035/blob/main/CVE-2023-38035.py", "https://www.horizon3.ai/ivanti-sentry-authentication-bypass-cve-2023-38035-deep-dive/", "https://forums.ivanti.com/s/article/KB-API-Authentication-Bypass-on-Sentry-Administrator-Interface-CVE-2023-38035?language=en_US"], "tags": {"name": "Ivanti Sentry Authentication Bypass CVE-2023-38035", "analytic_story": "Ivanti Sentry Authentication Bypass CVE-2023-38035", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - Ivanti Sentry Authentication Bypass - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Ivanti Sentry Authentication Bypass", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}]}, {"name": "JBoss Vulnerability", "author": "Bhavin Patel, Splunk", "date": "2017-09-14", "version": 1, "id": "1f5294cb-b85f-4c2d-9c58-ffcf248f52bd", "description": "In March of 2016, adversaries were seen using JexBoss--an open-source utility used for testing and exploiting JBoss application servers. These searches help detect evidence of these attacks, such as network connections to external resources or web services spawning atypical child processes, among others.", "narrative": "This Analytic Story looks for probing and exploitation attempts targeting JBoss application servers. While the vulnerabilities associated with this story are rather dated, they were leveraged in a spring 2016 campaign in connection with the Samsam ransomware variant. Incidents involving this ransomware are unique, in that they begin with attacks against vulnerable services, rather than the phishing or drive-by attacks more common with ransomware. In this case, vulnerable JBoss applications appear to be the target of choice.\\\nIt is helpful to understand how often a notable event generated by this story occurs, as well as the commonalities between some of these events, both of which may provide clues about whether this is a common occurrence of minimal concern or a rare event that may require more extensive investigation. It may also help to understand whether the issue is restricted to a single user/system or whether it is broader in scope.\\\nWhen looking at the target of the behavior uncovered by the event, you should note the sensitivity of the user and or/system to help determine the potential impact. It is also helpful to identify other recent events involving the target. This can help tie different events together and give further situational awareness regarding the target host.\\\nVarious types of information for external systems should be reviewed and, potentially, collected if the incident is, indeed, judged to be malicious. This data may be useful for generating your own threat intelligence, so you can create future alerts.\\\nThe following factors may assist you in determining whether the event is malicious: \\\n1. Country of origin\\\n1. Responsible party\\\n1. Fully qualified domain names associated with the external IP address\\\n1. Registration of fully qualified domain names associated with external IP address Determining whether it is a dynamic domain frequently visited by others and/or how third parties categorize it can also help you qualify and understand the event and possible motivation for the attack. In addition, there are various sources that may provide reputation information on the IP address or domain name, which can assist you in determining whether the event is malicious in nature. Finally, determining whether there are other events associated with the IP address may help connect data points or expose other historic events that might be brought back into scope.\\\nGathering various data on the system of interest can sometimes help quickly determine whether something suspicious is happening. Some of these items include determining who else may have logged into the system recently, whether any unusual scheduled tasks exist, whether the system is communicating on suspicious ports, whether there are modifications to sensitive registry keys, and/or whether there are any known vulnerabilities on the system. This information can often highlight other activity commonly seen in attack scenarios or give more information about how the system may have been targeted.\\\nhen a specific service or application is targeted, it is often helpful to know the associated version, to help determine whether it is vulnerable to a specific exploit.\\\nIf you suspect an attack targeting a web server, it is helpful to look at some of the behavior of the web service to see if there is evidence that the service has been compromised. Some indications of this might be network connections to external resources, the web service spawning child processes that are not associated with typical behavior, and whether the service wrote any files that might be malicious in nature.\\\nIf a suspicious file is found, we can review more information about it to help determine if it is, in fact, malicious. Identifying the file type, any processes that opened the file, the processes that may have created and/or modified the file, and how many other systems potentially have this file can you determine whether the file is malicious. Also, determining the file hash and checking it against reputation sources, such as VirusTotal, can sometimes help you quickly determine if it is malicious in nature.\\\nOften, a simple inspection of a suspect process name and path can tell you if the system has been compromised. For example, if svchost.exe is found running from a location other than `C:\\Windows\\System32`, it is likely something malicious designed to hide in plain sight when simply reviewing process names. \\\nIt can also be helpful to examine various behaviors of and the parent of the process of interest. For example, if it turns out the process of interest is malicious, it would be good to see whether the parent process spawned other processes that might also warrant further scrutiny. If a process is suspect, a review of the network connections made around the time of the event and noting whether the process has spawned any child processes could be helpful in determining whether it is malicious or executing a malicious script.", "references": ["http://www.deependresearch.org/2016/04/jboss-exploits-view-from-victim.html"], "tags": {"name": "JBoss Vulnerability", "analytic_story": "JBoss Vulnerability", "category": ["Vulnerability"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "FIN13", "FIN8", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TA2541", "TeamTNT", "Tropic Trooper", "Turla", "Volt Typhoon", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}], "mitre_attack_tactics": ["Discovery", "Initial Access", "Persistence"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Detect attackers scanning for vulnerable JBoss servers - Rule", "ESCU - Detect malicious requests to exploit JBoss servers - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect attackers scanning for vulnerable JBoss servers", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Information Discovery"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Detect malicious requests to exploit JBoss servers", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "JetBrains TeamCity Unauthenticated RCE", "author": "Michael Haag, Splunk", "date": "2023-10-01", "version": 1, "id": "7ef2d230-9dbb-4d13-9263-a7d8c3aad9bf", "description": "A critical security vulnerability, CVE-2023-42793, has been discovered affecting all versions of TeamCity On-Premises up to 2023.05.3. This vulnerability allows unauthenticated attackers to execute remote code and gain administrative control of the TeamCity server, posing a significant risk for supply chain attacks. Although the issue has been fixed in version 2023.05.4, servers running older versions remain at risk. A security patch plugin has been released for immediate mitigation, applicable to TeamCity versions 8.0 and above. Organizations are strongly advised to update to the fixed version or apply the security patch, especially if their TeamCity server is publicly accessible. No impact has been reported on TeamCity Cloud as it has been upgraded to the secure version.", "narrative": "The CVE-2023-42793 vulnerability in TeamCity On-Premises allows an unauthenticated attacker to bypass authentication and gain administrative access through Remote Code Execution (RCE). Specifically, the attacker can send a malicious POST request to /app/rest/users/id:1/tokens/RPC2 to create an administrative token. Once the token is obtained, the attacker has the ability to perform various unauthorized activities, including creating new admin users and executing arbitrary shell commands on the server. \\ For Splunk Security Content, the focus should be on identifying suspicious POST requests to /app/rest/users/id:1/tokens/RPC2 and other affected API endpoints, as this is the initial point of exploitation. Monitoring logs for changes to the internal.properties file or the creation of new admin users could also provide crucial indicators of compromise. Furthermore, Splunk can be configured to alert on multiple failed login attempts followed by a successful login from the same IP, which could indicate exploitation attempts.", "references": ["https://blog.jetbrains.com/teamcity/2023/09/critical-security-issue-affecting-teamcity-on-premises-update-to-2023-05-4-now/", "https://www.sonarsource.com/blog/teamcity-vulnerability/", "https://github.com/rapid7/metasploit-framework/pull/18408", "https://attackerkb.com/topics/1XEEEkGHzt/cve-2023-42793/rapid7-analysis"], "tags": {"name": "JetBrains TeamCity Unauthenticated RCE", "analytic_story": "JetBrains TeamCity Unauthenticated RCE", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - JetBrains TeamCity RCE Attempt - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "JetBrains TeamCity RCE Attempt", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}]}, {"name": "Juniper JunOS Remote Code Execution", "author": "Michael Haag, Splunk", "date": "2023-08-29", "version": 1, "id": "3fcef843-c97e-4cf3-a72f-749be480cee3", "description": "Juniper Networks has resolved multiple critical vulnerabilities in the J-Web component of Junos OS on SRX and EX Series devices. These vulnerabilities, when chained together, could allow an unauthenticated, network-based attacker to remotely execute code on the devices. The vulnerabilities affect all versions of Junos OS on SRX and EX Series, but specific fixes have been released to address each vulnerability. Juniper Networks recommends applying the necessary fixes to mitigate potential remote code execution threats. As a workaround, users can disable J-Web or limit access to only trusted hosts. Proof-of-concept (PoC) exploit code has been released, demonstrating the severity of these flaws and the urgency to apply the fixes.", "narrative": "Juniper Networks, a networking hardware company, has released an \"out-of-cycle\" security update to address multiple flaws in the J-Web component of Junos OS that could be combined to achieve remote code execution on susceptible installations. The flaws have a cumulative CVSS rating of 9.8, making them critical in severity. They affect all versions of Junos OS on SRX and EX Series. The J-Web interface allows users to configure, manage, and monitor Junos OS devices. The vulnerabilities include two PHP external variable modification vulnerabilities (CVE-2023-36844 and CVE-2023-36845) and two missing authentications for critical function vulnerabilities (CVE-2023-36846 and CVE-2023-36847). These vulnerabilities could allow an unauthenticated, network-based attacker to control certain important environment variables, cause limited impact to the file system integrity, or upload arbitrary files via J-Web without any authentication. \\\nThe vulnerabilities have been addressed in specific Junos OS versions for EX Series and SRX Series devices. Users are recommended to apply the necessary fixes to mitigate potential remote code execution threats. As a workaround, Juniper Networks suggests disabling J-Web or limiting access to only trusted hosts. \\\nAdditionally, a PoC exploit has been released by watchTowr, combining CVE-2023-36846 and CVE-2023-36845 to upload a PHP file containing malicious shellcode and achieve code execution by injecting the PHPRC environment variable to point to a configuration file to load the booby-trapped PHP script. WatchTowr noted that this is an interesting bug chain, utilizing two bugs that would be near-useless in isolation and combining them for a \"world-ending\" unauthenticated remote code execution. \\\nIn conclusion, these vulnerabilities pose a significant threat to Juniper SRX and EX Series devices, and it is imperative for users to apply the necessary fixes or implement the recommended workaround to mitigate the potential impact.", "references": ["https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution?language=en_US", "https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-36844.yaml", "https://thehackernews.com/2023/08/new-juniper-junos-os-flaws-expose.html", "https://github.com/watchtowrlabs/juniper-rce_cve-2023-36844", "https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/"], "tags": {"name": "Juniper JunOS Remote Code Execution", "analytic_story": "Juniper JunOS Remote Code Execution", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}], "mitre_attack_tactics": ["Command And Control", "Execution", "Initial Access"], "datamodels": ["Web"], "kill_chain_phases": ["Command And Control", "Delivery", "Installation"]}, "detection_names": ["ESCU - Juniper Networks Remote Code Execution Exploit Detection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Juniper Networks Remote Code Execution Exploit Detection", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "Ingress Tool Transfer"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}]}, {"name": "Kubernetes Scanning Activity", "author": "Rod Soto, Splunk", "date": "2020-04-15", "version": 1, "id": "a9ef59cf-e981-4e66-9eef-bb049f695c09", "description": "This story addresses detection against Kubernetes cluster fingerprint scan and attack by providing information on items such as source ip, user agent, cluster names.", "narrative": "Kubernetes is the most used container orchestration platform, this orchestration platform contains sensitve information and management priviledges of production workloads, microservices and applications. These searches allow operator to detect suspicious unauthenticated requests from the internet to kubernetes cluster.", "references": ["https://github.com/splunk/cloud-datamodel-security-research"], "tags": {"name": "Kubernetes Scanning Activity", "analytic_story": "Kubernetes Scanning Activity", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1526", "mitre_attack_technique": "Cloud Service Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Discovery"], "datamodels": ["Email"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Amazon EKS Kubernetes cluster scan detection - Rule", "ESCU - Amazon EKS Kubernetes Pod scan detection - Rule", "ESCU - GCP Kubernetes cluster pod scan detection - Rule", "ESCU - GCP Kubernetes cluster scan detection - Rule", "ESCU - Kubernetes Azure pod scan fingerprint - Rule", "ESCU - Kubernetes Azure scan fingerprint - Rule"], "investigation_names": ["ESCU - Amazon EKS Kubernetes activity by src ip - Response Task", "ESCU - GCP Kubernetes activity by src ip - Response Task", "ESCU - Get Notable History - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rod Soto", "detections": [{"name": "Amazon EKS Kubernetes cluster scan detection", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Service Discovery"}]}}, {"name": "Amazon EKS Kubernetes Pod scan detection", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Service Discovery"}]}}, {"name": "GCP Kubernetes cluster pod scan detection", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Service Discovery"}]}}, {"name": "GCP Kubernetes cluster scan detection", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Service Discovery"}]}}, {"name": "Kubernetes Azure pod scan fingerprint", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes Azure scan fingerprint", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Service Discovery"}]}}]}, {"name": "Kubernetes Security", "author": "Patrick Bareiss", "date": "2023-12-06", "version": 1, "id": "77006b3a-306c-4e32-afd5-30b6e40c1c41", "description": "Kubernetes, as a container orchestration platform, faces unique security challenges. This story explores various tactics and techniques adversaries use to exploit Kubernetes environments, including attacking the control plane, exploiting misconfigurations, and compromising containerized applications.", "narrative": "Kubernetes, a widely used container orchestration system, presents a complex environment that can be targeted by adversaries. Key areas of concern include the control plane, worker nodes, and network communication. Attackers may attempt to exploit vulnerabilities in the Kubernetes API, misconfigured containers, or insecure network policies. The control plane, responsible for managing cluster operations, is a prime target. Compromising this can give attackers control over the entire cluster. Worker nodes, running the containerized applications, can be targeted to disrupt services or to gain access to sensitive data. Common attack vectors include exploiting vulnerabilities in container images, misconfigured role-based access controls (RBAC), exposed Kubernetes dashboards, and insecure network configurations. Attackers can also target the supply chain, injecting malicious code into container images or Helm charts. To mitigate these threats, it is essential to enforce robust security practices such as regular vulnerability scanning, implementing least privilege access, securing the control plane, network segmentation, and continuous monitoring for suspicious activities. Tools like Kubernetes Network Policies, Pod Security Policies, and third-party security solutions can provide additional layers of defense.", "references": ["https://kubernetes.io/docs/concepts/security/"], "tags": {"name": "Kubernetes Security", "analytic_story": "Kubernetes Security", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1552.007", "mitre_attack_technique": "Container API", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1046", "mitre_attack_technique": "Network Service Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "APT41", "BackdoorDiplomacy", "BlackTech", "Chimera", "Cobalt Group", "DarkVishnya", "FIN13", "FIN6", "Fox Kitten", "Lazarus Group", "Leafminer", "Magic Hound", "Naikon", "OilRig", "Rocke", "Suckfly", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1526", "mitre_attack_technique": "Cloud Service Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}], "mitre_attack_tactics": ["Credential Access", "Discovery", "Execution"], "datamodels": [], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Kubernetes Abuse of Secret by Unusual Location - Rule", "ESCU - Kubernetes Abuse of Secret by Unusual User Agent - Rule", "ESCU - Kubernetes Abuse of Secret by Unusual User Group - Rule", "ESCU - Kubernetes Abuse of Secret by Unusual User Name - Rule", "ESCU - Kubernetes Access Scanning - Rule", "ESCU - Kubernetes Suspicious Image Pulling - Rule", "ESCU - Kubernetes Unauthorized Access - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "no", "author_name": "Patrick Bareiss", "detections": [{"name": "Kubernetes Abuse of Secret by Unusual Location", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Container API"}]}}, {"name": "Kubernetes Abuse of Secret by Unusual User Agent", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Container API"}]}}, {"name": "Kubernetes Abuse of Secret by Unusual User Group", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Container API"}]}}, {"name": "Kubernetes Abuse of Secret by Unusual User Name", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Container API"}]}}, {"name": "Kubernetes Access Scanning", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Network Service Discovery"}]}}, {"name": "Kubernetes Suspicious Image Pulling", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Service Discovery"}]}}, {"name": "Kubernetes Unauthorized Access", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "User Execution"}]}}]}, {"name": "Kubernetes Sensitive Object Access Activity", "author": "Rod Soto, Splunk", "date": "2020-05-20", "version": 1, "id": "c7d4dbf0-a171-4eaf-8444-4f40392e4f92", "description": "This story addresses detection and response of accounts acccesing Kubernetes cluster sensitive objects such as configmaps or secrets providing information on items such as user user, group. object, namespace and authorization reason.", "narrative": "Kubernetes is the most used container orchestration platform, this orchestration platform contains sensitive objects within its architecture, specifically configmaps and secrets, if accessed by an attacker can lead to further compromise. These searches allow operator to detect suspicious requests against Kubernetes sensitive objects.", "references": ["https://www.splunk.com/en_us/blog/security/approaching-kubernetes-security-detecting-kubernetes-scan-with-splunk.html"], "tags": {"name": "Kubernetes Sensitive Object Access Activity", "analytic_story": "Kubernetes Sensitive Object Access Activity", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Kubernetes AWS detect suspicious kubectl calls - Rule", "ESCU - AWS EKS Kubernetes cluster sensitive object access - Rule", "ESCU - Kubernetes AWS detect service accounts forbidden failure access - Rule", "ESCU - Kubernetes Azure detect sensitive object access - Rule", "ESCU - Kubernetes Azure detect service accounts forbidden failure access - Rule", "ESCU - Kubernetes Azure detect suspicious kubectl calls - Rule", "ESCU - Kubernetes GCP detect sensitive object access - Rule", "ESCU - Kubernetes GCP detect service accounts forbidden failure access - Rule", "ESCU - Kubernetes GCP detect suspicious kubectl calls - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rod Soto", "detections": [{"name": "Kubernetes AWS detect suspicious kubectl calls", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "AWS EKS Kubernetes cluster sensitive object access", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes AWS detect service accounts forbidden failure access", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes Azure detect sensitive object access", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes Azure detect service accounts forbidden failure access", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes Azure detect suspicious kubectl calls", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes GCP detect sensitive object access", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes GCP detect service accounts forbidden failure access", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes GCP detect suspicious kubectl calls", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "Linux Living Off The Land", "author": "Michael Haag, Splunk", "date": "2022-07-27", "version": 1, "id": "e405a2d7-dc8e-4227-8e9d-f60267b8c0cd", "description": "Linux Living Off The Land consists of binaries that may be used to bypass local security restrictions within misconfigured systems.", "narrative": "Similar to Windows LOLBAS project, the GTFOBins project focuses solely on Unix binaries that may be abused in multiple categories including Reverse Shell, File Upload, File Download and much more. These binaries are native to the operating system and the functionality is typically native. The behaviors are typically not malicious by default or vulnerable, but these are built in functionality of the applications. When reviewing any notables or hunting through mountains of events of interest, it's important to identify the binary, review command-line arguments, path of file, and capture any network and file modifications. Linux analysis may be a bit cumbersome due to volume and how process behavior is seen in EDR products. Piecing it together will require some effort.", "references": ["https://gtfobins.github.io/"], "tags": {"name": "Linux Living Off The Land", "analytic_story": "Linux Living Off The Land", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1053.003", "mitre_attack_technique": "Cron", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT38", "Rocke"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1053.002", "mitre_attack_technique": "At", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "BRONZE BUTLER", "Threat Group-3390"]}, {"mitre_attack_id": "T1222.002", "mitre_attack_technique": "Linux and Mac File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1115", "mitre_attack_technique": "Clipboard Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT38", "APT39"]}, {"mitre_attack_id": "T1548.001", "mitre_attack_technique": "Setuid and Setgid", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1059.004", "mitre_attack_technique": "Unix Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT41", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1098.004", "mitre_attack_technique": "SSH Authorized Keys", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca", "TeamTNT"]}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "MoustachedBouncer", "POLONIUM", "Sandworm Team", "Turla", "Volt Typhoon", "Windigo"]}, {"mitre_attack_id": "T1095", "mitre_attack_technique": "Non-Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT3", "BITTER", "BackdoorDiplomacy", "FIN6", "HAFNIUM", "Metador", "PLATINUM"]}, {"mitre_attack_id": "T1053.006", "mitre_attack_technique": "Systemd Timers", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1021.004", "mitre_attack_technique": "SSH", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT39", "BlackTech", "FIN13", "FIN7", "Fox Kitten", "GCMAN", "Lazarus Group", "Leviathan", "OilRig", "Rocke", "TEMP.Veles", "TeamTNT", "menuPass"]}], "mitre_attack_tactics": ["Collection", "Command And Control", "Defense Evasion", "Execution", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command And Control", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Curl Download and Bash Execution - Rule", "ESCU - Linux Add Files In Known Crontab Directories - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux apt-get Privilege Escalation - Rule", "ESCU - Linux APT Privilege Escalation - Rule", "ESCU - Linux At Allow Config File Creation - Rule", "ESCU - Linux At Application Execution - Rule", "ESCU - Linux AWK Privilege Escalation - Rule", "ESCU - Linux Busybox Privilege Escalation - Rule", "ESCU - Linux c89 Privilege Escalation - Rule", "ESCU - Linux c99 Privilege Escalation - Rule", "ESCU - Linux Change File Owner To Root - Rule", "ESCU - Linux Clipboard Data Copy - Rule", "ESCU - Linux Common Process For Elevation Control - Rule", "ESCU - Linux Composer Privilege Escalation - Rule", "ESCU - Linux Cpulimit Privilege Escalation - Rule", "ESCU - Linux Csvtool Privilege Escalation - Rule", "ESCU - Linux Curl Upload File - Rule", "ESCU - Linux Decode Base64 to Shell - Rule", "ESCU - Linux Docker Privilege Escalation - Rule", "ESCU - Linux Edit Cron Table Parameter - Rule", "ESCU - Linux Emacs Privilege Escalation - Rule", "ESCU - Linux Find Privilege Escalation - Rule", "ESCU - Linux GDB Privilege Escalation - Rule", "ESCU - Linux Gem Privilege Escalation - Rule", "ESCU - Linux GNU Awk Privilege Escalation - Rule", "ESCU - Linux Ingress Tool Transfer Hunting - Rule", "ESCU - Linux Ingress Tool Transfer with Curl - Rule", "ESCU - Linux Make Privilege Escalation - Rule", "ESCU - Linux MySQL Privilege Escalation - Rule", "ESCU - Linux Node Privilege Escalation - Rule", "ESCU - Linux Obfuscated Files or Information Base64 Decode - Rule", "ESCU - Linux Octave Privilege Escalation - Rule", "ESCU - Linux OpenVPN Privilege Escalation - Rule", "ESCU - Linux PHP Privilege Escalation - Rule", "ESCU - Linux pkexec Privilege Escalation - Rule", "ESCU - Linux Possible Access Or Modification Of sshd Config File - Rule", "ESCU - Linux Possible Append Cronjob Entry on Existing Cronjob File - Rule", "ESCU - Linux Possible Cronjob Modification With Editor - Rule", "ESCU - Linux Possible Ssh Key File Creation - Rule", "ESCU - Linux Proxy Socks Curl - Rule", "ESCU - Linux Puppet Privilege Escalation - Rule", "ESCU - Linux RPM Privilege Escalation - Rule", "ESCU - Linux Ruby Privilege Escalation - Rule", "ESCU - Linux Service File Created In Systemd Directory - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Service Started Or Enabled - Rule", "ESCU - Linux Setuid Using Chmod Utility - Rule", "ESCU - Linux Sqlite3 Privilege Escalation - Rule", "ESCU - Linux SSH Authorized Keys Modification - Rule", "ESCU - Linux SSH Remote Services Script Execute - Rule", "ESCU - Suspicious Curl Network Connection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Curl Download and Bash Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Linux Add Files In Known Crontab Directories", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux apt-get Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux APT Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux At Allow Config File Creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux At Application Execution", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "At"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux AWK Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Busybox Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux c89 Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux c99 Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Change File Owner To Root", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Linux and Mac File and Directory Permissions Modification"}, {"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "Linux Clipboard Data Copy", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Clipboard Data"}]}}, {"name": "Linux Common Process For Elevation Control", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Setuid and Setgid"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Composer Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Cpulimit Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Csvtool Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Curl Upload File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Linux Decode Base64 to Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "Unix Shell"}]}}, {"name": "Linux Docker Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Edit Cron Table Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Emacs Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Find Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux GDB Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Gem Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux GNU Awk Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Ingress Tool Transfer Hunting", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Linux Ingress Tool Transfer with Curl", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Linux Make Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux MySQL Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Node Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Obfuscated Files or Information Base64 Decode", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}}, {"name": "Linux Octave Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux OpenVPN Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux PHP Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux pkexec Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "Linux Possible Access Or Modification Of sshd Config File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SSH Authorized Keys"}, {"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Linux Possible Append Cronjob Entry on Existing Cronjob File", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Possible Cronjob Modification With Editor", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Possible Ssh Key File Creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SSH Authorized Keys"}, {"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Linux Proxy Socks Curl", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Non-Application Layer Protocol"}]}}, {"name": "Linux Puppet Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux RPM Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Ruby Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Service File Created In Systemd Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Service Started Or Enabled", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Setuid Using Chmod Utility", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Setuid and Setgid"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Sqlite3 Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux SSH Authorized Keys Modification", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SSH Authorized Keys"}]}}, {"name": "Linux SSH Remote Services Script Execute", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SSH"}]}}, {"name": "Suspicious Curl Network Connection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}]}, {"name": "Linux Persistence Techniques", "author": "Teoderick Contreras, Splunk", "date": "2021-12-17", "version": 1, "id": "e40d13e5-d38b-457e-af2a-e8e6a2f2b516", "description": "Monitor for activities and techniques associated with maintaining persistence on a Linux system--a sign that an adversary may have compromised your environment.", "narrative": "Maintaining persistence is one of the first steps taken by attackers after the initial compromise. Attackers leverage various custom and built-in tools to ensure survivability and persistent access within a compromised enterprise. This Analytic Story provides searches to help you identify various behaviors used by attackers to maintain persistent access to a Linux environment.", "references": ["https://attack.mitre.org/techniques/T1053/", "https://kifarunix.com/scheduling-tasks-using-at-command-in-linux/", "https://gtfobins.github.io/gtfobins/at/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf"], "tags": {"name": "Linux Persistence Techniques", "analytic_story": "Linux Persistence Techniques", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.003", "mitre_attack_technique": "Cron", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT38", "Rocke"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "Dragonfly", "FIN13", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT", "Wizard Spider"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}, {"mitre_attack_id": "T1053.002", "mitre_attack_technique": "At", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "BRONZE BUTLER", "Threat Group-3390"]}, {"mitre_attack_id": "T1222.002", "mitre_attack_technique": "Linux and Mac File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1548.001", "mitre_attack_technique": "Setuid and Setgid", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1547.006", "mitre_attack_technique": "Kernel Modules and Extensions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1037.004", "mitre_attack_technique": "RC Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1037", "mitre_attack_technique": "Boot or Logon Initialization Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "Rocke"]}, {"mitre_attack_id": "T1546.004", "mitre_attack_technique": "Unix Shell Configuration Modification", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1098.004", "mitre_attack_technique": "SSH Authorized Keys", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca", "TeamTNT"]}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1003.008", "mitre_attack_technique": "/etc/passwd and /etc/shadow", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1574.006", "mitre_attack_technique": "Dynamic Linker Hijacking", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT41", "Rocke"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1053.006", "mitre_attack_technique": "Systemd Timers", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Execution", "Impact", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Linux Add Files In Known Crontab Directories - Rule", "ESCU - Linux Add User Account - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux At Allow Config File Creation - Rule", "ESCU - Linux At Application Execution - Rule", "ESCU - Linux Change File Owner To Root - Rule", "ESCU - Linux Common Process For Elevation Control - Rule", "ESCU - Linux Doas Conf File Creation - Rule", "ESCU - Linux Doas Tool Execution - Rule", "ESCU - Linux Edit Cron Table Parameter - Rule", "ESCU - Linux File Created In Kernel Driver Directory - Rule", "ESCU - Linux File Creation In Init Boot Directory - Rule", "ESCU - Linux File Creation In Profile Directory - Rule", "ESCU - Linux Insert Kernel Module Using Insmod Utility - Rule", "ESCU - Linux Install Kernel Module Using Modprobe Utility - Rule", "ESCU - Linux NOPASSWD Entry In Sudoers File - Rule", "ESCU - Linux Persistence and Privilege Escalation Risk Behavior - Rule", "ESCU - Linux Possible Access Or Modification Of sshd Config File - Rule", "ESCU - Linux Possible Access To Credential Files - Rule", "ESCU - Linux Possible Access To Sudoers File - Rule", "ESCU - Linux Possible Append Command To At Allow Config File - Rule", "ESCU - Linux Possible Append Command To Profile Config File - Rule", "ESCU - Linux Possible Append Cronjob Entry on Existing Cronjob File - Rule", "ESCU - Linux Possible Cronjob Modification With Editor - Rule", "ESCU - Linux Possible Ssh Key File Creation - Rule", "ESCU - Linux Preload Hijack Library Calls - Rule", "ESCU - Linux Service File Created In Systemd Directory - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Service Started Or Enabled - Rule", "ESCU - Linux Setuid Using Chmod Utility - Rule", "ESCU - Linux Setuid Using Setcap Utility - Rule", "ESCU - Linux Shred Overwrite Command - Rule", "ESCU - Linux Sudo OR Su Execution - Rule", "ESCU - Linux Sudoers Tmp File Creation - Rule", "ESCU - Linux Visudo Utility Execution - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux Add Files In Known Crontab Directories", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Add User Account", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux At Allow Config File Creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux At Application Execution", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "At"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Change File Owner To Root", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Linux and Mac File and Directory Permissions Modification"}, {"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "Linux Common Process For Elevation Control", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Setuid and Setgid"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Doas Conf File Creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Doas Tool Execution", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Edit Cron Table Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux File Created In Kernel Driver Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Linux File Creation In Init Boot Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "RC Scripts"}, {"mitre_attack_technique": "Boot or Logon Initialization Scripts"}]}}, {"name": "Linux File Creation In Profile Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unix Shell Configuration Modification"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Linux Insert Kernel Module Using Insmod Utility", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Linux Install Kernel Module Using Modprobe Utility", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Linux NOPASSWD Entry In Sudoers File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Persistence and Privilege Escalation Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Possible Access Or Modification Of sshd Config File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SSH Authorized Keys"}, {"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Linux Possible Access To Credential Files", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "/etc/passwd and /etc/shadow"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Linux Possible Access To Sudoers File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Possible Append Command To At Allow Config File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "At"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Possible Append Command To Profile Config File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unix Shell Configuration Modification"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Linux Possible Append Cronjob Entry on Existing Cronjob File", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Possible Cronjob Modification With Editor", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Possible Ssh Key File Creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SSH Authorized Keys"}, {"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Linux Preload Hijack Library Calls", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Dynamic Linker Hijacking"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Linux Service File Created In Systemd Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Service Started Or Enabled", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Setuid Using Chmod Utility", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Setuid and Setgid"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Setuid Using Setcap Utility", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Setuid and Setgid"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Shred Overwrite Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Linux Sudo OR Su Execution", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Sudoers Tmp File Creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Visudo Utility Execution", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}]}, {"name": "Linux Post-Exploitation", "author": "Rod Soto", "date": "2021-12-03", "version": 1, "id": "d310ccfe-5477-11ec-ad05-acde48001122", "description": "This analytic story identifies popular Linux post exploitation tools such as autoSUID, LinEnum, LinPEAS, Linux Exploit Suggesters, MimiPenguin.", "narrative": "These tools allow operators find possible exploits or paths for privilege escalation based on SUID binaries, user permissions, kernel version and distro version.", "references": ["https://attack.mitre.org/matrices/enterprise/linux/"], "tags": {"name": "Linux Post-Exploitation", "analytic_story": "Linux Post-Exploitation", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.004", "mitre_attack_technique": "Unix Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT41", "Rocke", "TeamTNT"]}], "mitre_attack_tactics": ["Execution"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation"]}, "detection_names": ["ESCU - Suspicious Linux Discovery Commands - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "no", "author_name": "Rod Soto", "detections": [{"name": "Suspicious Linux Discovery Commands", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unix Shell"}]}}]}, {"name": "Linux Privilege Escalation", "author": "Teoderick Contreras, Splunk", "date": "2021-12-17", "version": 1, "id": "b9879c24-670a-44c0-895e-98cdb7d0e848", "description": "Monitor for and investigate activities that may be associated with a Linux privilege-escalation attack, including unusual processes running on endpoints, schedule task, services, setuid, root execution and more.", "narrative": "Privilege escalation is a \"land-and-expand\" technique, wherein an adversary gains an initial foothold on a host and then exploits its weaknesses to increase his privileges. The motivation is simple: certain actions on a Linux machine--such as installing software--may require higher-level privileges than those the attacker initially acquired. By increasing his privilege level, the attacker can gain the control required to carry out his malicious ends. This Analytic Story provides searches to detect and investigate behaviors that attackers may use to elevate their privileges in your environment.", "references": ["https://attack.mitre.org/tactics/TA0004/"], "tags": {"name": "Linux Privilege Escalation", "analytic_story": "Linux Privilege Escalation", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.003", "mitre_attack_technique": "Cron", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT38", "Rocke"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "Dragonfly", "FIN13", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT", "Wizard Spider"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}, {"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1053.002", "mitre_attack_technique": "At", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "BRONZE BUTLER", "Threat Group-3390"]}, {"mitre_attack_id": "T1222.002", "mitre_attack_technique": "Linux and Mac File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1548.001", "mitre_attack_technique": "Setuid and Setgid", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1547.006", "mitre_attack_technique": "Kernel Modules and Extensions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1037.004", "mitre_attack_technique": "RC Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1037", "mitre_attack_technique": "Boot or Logon Initialization Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "Rocke"]}, {"mitre_attack_id": "T1546.004", "mitre_attack_technique": "Unix Shell Configuration Modification", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1098.004", "mitre_attack_technique": "SSH Authorized Keys", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca", "TeamTNT"]}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1003.008", "mitre_attack_technique": "/etc/passwd and /etc/shadow", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1574.006", "mitre_attack_technique": "Dynamic Linker Hijacking", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT41", "Rocke"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1053.006", "mitre_attack_technique": "Systemd Timers", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Execution", "Impact", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Linux Add Files In Known Crontab Directories - Rule", "ESCU - Linux Add User Account - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux apt-get Privilege Escalation - Rule", "ESCU - Linux APT Privilege Escalation - Rule", "ESCU - Linux At Allow Config File Creation - Rule", "ESCU - Linux At Application Execution - Rule", "ESCU - Linux AWK Privilege Escalation - Rule", "ESCU - Linux Busybox Privilege Escalation - Rule", "ESCU - Linux c89 Privilege Escalation - Rule", "ESCU - Linux c99 Privilege Escalation - Rule", "ESCU - Linux Change File Owner To Root - Rule", "ESCU - Linux Common Process For Elevation Control - Rule", "ESCU - Linux Composer Privilege Escalation - Rule", "ESCU - Linux Cpulimit Privilege Escalation - Rule", "ESCU - Linux Csvtool Privilege Escalation - Rule", "ESCU - Linux Doas Conf File Creation - Rule", "ESCU - Linux Doas Tool Execution - Rule", "ESCU - Linux Docker Privilege Escalation - Rule", "ESCU - Linux Edit Cron Table Parameter - Rule", "ESCU - Linux Emacs Privilege Escalation - Rule", "ESCU - Linux File Created In Kernel Driver Directory - Rule", "ESCU - Linux File Creation In Init Boot Directory - Rule", "ESCU - Linux File Creation In Profile Directory - Rule", "ESCU - Linux Find Privilege Escalation - Rule", "ESCU - Linux GDB Privilege Escalation - Rule", "ESCU - Linux Gem Privilege Escalation - Rule", "ESCU - Linux GNU Awk Privilege Escalation - Rule", "ESCU - Linux Insert Kernel Module Using Insmod Utility - Rule", "ESCU - Linux Install Kernel Module Using Modprobe Utility - Rule", "ESCU - Linux Make Privilege Escalation - Rule", "ESCU - Linux MySQL Privilege Escalation - Rule", "ESCU - Linux Node Privilege Escalation - Rule", "ESCU - Linux NOPASSWD Entry In Sudoers File - Rule", "ESCU - Linux Octave Privilege Escalation - Rule", "ESCU - Linux OpenVPN Privilege Escalation - Rule", "ESCU - Linux Persistence and Privilege Escalation Risk Behavior - Rule", "ESCU - Linux PHP Privilege Escalation - Rule", "ESCU - Linux pkexec Privilege Escalation - Rule", "ESCU - Linux Possible Access Or Modification Of sshd Config File - Rule", "ESCU - Linux Possible Access To Credential Files - Rule", "ESCU - Linux Possible Access To Sudoers File - Rule", "ESCU - Linux Possible Append Command To At Allow Config File - Rule", "ESCU - Linux Possible Append Command To Profile Config File - Rule", "ESCU - Linux Possible Append Cronjob Entry on Existing Cronjob File - Rule", "ESCU - Linux Possible Cronjob Modification With Editor - Rule", "ESCU - Linux Possible Ssh Key File Creation - Rule", "ESCU - Linux Preload Hijack Library Calls - Rule", "ESCU - Linux Puppet Privilege Escalation - Rule", "ESCU - Linux RPM Privilege Escalation - Rule", "ESCU - Linux Ruby Privilege Escalation - Rule", "ESCU - Linux Service File Created In Systemd Directory - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Service Started Or Enabled - Rule", "ESCU - Linux Setuid Using Chmod Utility - Rule", "ESCU - Linux Setuid Using Setcap Utility - Rule", "ESCU - Linux Shred Overwrite Command - Rule", "ESCU - Linux Sqlite3 Privilege Escalation - Rule", "ESCU - Linux Sudo OR Su Execution - Rule", "ESCU - Linux Sudoers Tmp File Creation - Rule", "ESCU - Linux Visudo Utility Execution - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux Add Files In Known Crontab Directories", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Add User Account", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux apt-get Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux APT Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux At Allow Config File Creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux At Application Execution", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "At"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux AWK Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Busybox Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux c89 Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux c99 Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Change File Owner To Root", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Linux and Mac File and Directory Permissions Modification"}, {"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "Linux Common Process For Elevation Control", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Setuid and Setgid"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Composer Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Cpulimit Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Csvtool Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Doas Conf File Creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Doas Tool Execution", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Docker Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Edit Cron Table Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Emacs Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux File Created In Kernel Driver Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Linux File Creation In Init Boot Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "RC Scripts"}, {"mitre_attack_technique": "Boot or Logon Initialization Scripts"}]}}, {"name": "Linux File Creation In Profile Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unix Shell Configuration Modification"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Linux Find Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux GDB Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Gem Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux GNU Awk Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Insert Kernel Module Using Insmod Utility", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Linux Install Kernel Module Using Modprobe Utility", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Linux Make Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux MySQL Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Node Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux NOPASSWD Entry In Sudoers File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Octave Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux OpenVPN Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Persistence and Privilege Escalation Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux PHP Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux pkexec Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "Linux Possible Access Or Modification Of sshd Config File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SSH Authorized Keys"}, {"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Linux Possible Access To Credential Files", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "/etc/passwd and /etc/shadow"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Linux Possible Access To Sudoers File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Possible Append Command To At Allow Config File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "At"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Possible Append Command To Profile Config File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unix Shell Configuration Modification"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Linux Possible Append Cronjob Entry on Existing Cronjob File", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Possible Cronjob Modification With Editor", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Possible Ssh Key File Creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SSH Authorized Keys"}, {"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Linux Preload Hijack Library Calls", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Dynamic Linker Hijacking"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Linux Puppet Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux RPM Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Ruby Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Service File Created In Systemd Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Service Started Or Enabled", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Setuid Using Chmod Utility", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Setuid and Setgid"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Setuid Using Setcap Utility", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Setuid and Setgid"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Shred Overwrite Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Linux Sqlite3 Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Sudo OR Su Execution", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Sudoers Tmp File Creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Visudo Utility Execution", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}]}, {"name": "Linux Rootkit", "author": "Michael Haag, Splunk", "date": "2022-07-27", "version": 1, "id": "e30f4054-ac08-4999-b8bc-5cc46886c18d", "description": "Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.", "narrative": "Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or System Firmware. Rootkits have been seen for Windows, Linux, and Mac OS X systems. Linux rootkits may not standout as much as a Windows rootkit, therefore understanding what kernel modules are installed today and monitoring for new is important. As with any rootkit, it may blend in using a common kernel name or variation of legitimate names.", "references": ["https://attack.mitre.org/techniques/T1014/", "https://content.fireeye.com/apt-41/rpt-apt41", "https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a"], "tags": {"name": "Linux Rootkit", "analytic_story": "Linux Rootkit", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.006", "mitre_attack_technique": "Kernel Modules and Extensions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "FIN13", "FIN8", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TA2541", "TeamTNT", "Tropic Trooper", "Turla", "Volt Typhoon", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}, {"mitre_attack_id": "T1014", "mitre_attack_technique": "Rootkit", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT41", "Rocke", "TeamTNT", "Winnti Group"]}], "mitre_attack_tactics": ["Defense Evasion", "Discovery", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Linux File Created In Kernel Driver Directory - Rule", "ESCU - Linux Insert Kernel Module Using Insmod Utility - Rule", "ESCU - Linux Install Kernel Module Using Modprobe Utility - Rule", "ESCU - Linux Kernel Module Enumeration - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Linux File Created In Kernel Driver Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Linux Insert Kernel Module Using Insmod Utility", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Linux Install Kernel Module Using Modprobe Utility", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Linux Kernel Module Enumeration", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Information Discovery"}, {"mitre_attack_technique": "Rootkit"}]}}]}, {"name": "Living Off The Land", "author": "Lou Stella, Splunk", "date": "2022-03-16", "version": 2, "id": "6f7982e2-900b-11ec-a54a-acde48001122", "description": "Leverage analytics that allow you to identify the presence of an adversary leveraging native applications within your environment.", "narrative": "Living Off The Land refers to an adversary methodology of using native applications already installed on the target operating system to achieve their objective. Native utilities provide the adversary with reduced chances of detection by antivirus software or EDR tools. This allows the adversary to blend in with native process behavior.", "references": ["https://lolbas-project.github.io/"], "tags": {"name": "Living Off The Land", "analytic_story": "Living Off The Land", "category": ["Adversary Tactics", "Unauthorized Software", "Lateral Movement", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1197", "mitre_attack_technique": "BITS Jobs", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["APT39", "APT41", "Leviathan", "Patchwork", "Wizard Spider"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1140", "mitre_attack_technique": "Deobfuscate/Decode Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT39", "BRONZE BUTLER", "Darkhotel", "Earth Lusca", "FIN13", "Gamaredon Group", "Gorgon Group", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Molerats", "MuddyWater", "OilRig", "Rocke", "Sandworm Team", "TA505", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "WIRTE", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.002", "mitre_attack_technique": "Control Panel", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Ember Bear"]}, {"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1218.001", "mitre_attack_technique": "Compiled HTML File", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "APT41", "Dark Caracal", "OilRig", "Silence"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA2541", "TA551"]}, {"mitre_attack_id": "T1218.009", "mitre_attack_technique": "Regsvcs/Regasm", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1567", "mitre_attack_technique": "Exfiltration Over Web Service", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT28", "Magic Hound"]}, {"mitre_attack_id": "T1059.004", "mitre_attack_technique": "Unix Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT41", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1647", "mitre_attack_technique": "Plist File Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1218.014", "mitre_attack_technique": "MMC", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1053.002", "mitre_attack_technique": "At", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "BRONZE BUTLER", "Threat Group-3390"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1127.001", "mitre_attack_technique": "MSBuild", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1218.013", "mitre_attack_technique": "Mavinject", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1546.015", "mitre_attack_technique": "Component Object Model Hijacking", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1574.001", "mitre_attack_technique": "DLL Search Order Hijacking", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT41", "Aquatic Panda", "BackdoorDiplomacy", "Evilnum", "RTM", "Threat Group-3390", "Tonto Team", "Whitefly", "menuPass"]}, {"mitre_attack_id": "T1202", "mitre_attack_technique": "Indirect Command Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}, {"mitre_attack_id": "T1546.003", "mitre_attack_technique": "Windows Management Instrumentation Event Subscription", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT33", "Blue Mockingbird", "FIN8", "Leviathan", "Metador", "Mustang Panda", "Turla"]}, {"mitre_attack_id": "T1218.008", "mitre_attack_technique": "Odbcconf", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group"]}, {"mitre_attack_id": "T1216", "mitre_attack_technique": "System Script Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Defense Evasion", "Execution", "Exfiltration", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Network_Traffic", "Risk"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - BITS Job Persistence - Rule", "ESCU - BITSAdmin Download File - Rule", "ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - CertUtil Download With VerifyCtl and Split Arguments - Rule", "ESCU - Certutil exe certificate extraction - Rule", "ESCU - CertUtil With Decode Argument - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Control Loading from World Writable Directory - Rule", "ESCU - Creation of Shadow Copy with wmic and powershell - Rule", "ESCU - Detect HTML Help Renamed - Rule", "ESCU - Detect HTML Help Spawn Child Process - Rule", "ESCU - Detect HTML Help URL in Command Line - Rule", "ESCU - Detect HTML Help Using InfoTech Storage Handlers - Rule", "ESCU - Detect mshta inline hta execution - Rule", "ESCU - Detect mshta renamed - Rule", "ESCU - Detect MSHTA Url in Command Line - Rule", "ESCU - Detect Regasm Spawning a Process - Rule", "ESCU - Detect Regasm with Network Connection - Rule", "ESCU - Detect Regasm with no Command Line Arguments - Rule", "ESCU - Detect Regsvcs Spawning a Process - Rule", "ESCU - Detect Regsvcs with Network Connection - Rule", "ESCU - Detect Regsvcs with No Command Line Arguments - Rule", "ESCU - Detect Regsvr32 Application Control Bypass - Rule", "ESCU - Detect Rundll32 Application Control Bypass - advpack - Rule", "ESCU - Detect Rundll32 Application Control Bypass - setupapi - Rule", "ESCU - Detect Rundll32 Application Control Bypass - syssetup - Rule", "ESCU - Detect Rundll32 Inline HTA Execution - Rule", "ESCU - Disable Schedule Task - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Esentutl SAM Copy - Rule", "ESCU - Eventvwr UAC Bypass - Rule", "ESCU - Living Off The Land - Rule", "ESCU - LOLBAS With Network Traffic - Rule", "ESCU - MacOS LOLbin - Rule", "ESCU - MacOS plutil - Rule", "ESCU - Mmc LOLBAS Execution Process Spawn - Rule", "ESCU - Mshta spawning Rundll32 OR Regsvr32 Process - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - Reg exe Manipulating Windows Services Registry Keys - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Rundll32 Control RunDLL Hunt - Rule", "ESCU - Rundll32 Control RunDLL World Writable Directory - Rule", "ESCU - Rundll32 Create Remote Thread To A Process - Rule", "ESCU - Rundll32 CreateRemoteThread In Browser - Rule", "ESCU - Rundll32 DNSQuery - Rule", "ESCU - Rundll32 Process Creating Exe Dll Files - Rule", "ESCU - Rundll32 Shimcache Flush - Rule", "ESCU - RunDLL Loading DLL By Ordinal - Rule", "ESCU - Schedule Task with HTTP Command Arguments - Rule", "ESCU - Schedule Task with Rundll32 Command Trigger - Rule", "ESCU - Scheduled Task Creation on Remote Endpoint using At - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Scheduled Task Initiation on Remote Endpoint - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Services LOLBAS Execution Process Spawn - Rule", "ESCU - Suspicious IcedID Rundll32 Cmdline - Rule", "ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious microsoft workflow compiler usage - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - Suspicious MSBuild Spawn - Rule", "ESCU - Suspicious mshta child process - Rule", "ESCU - Suspicious mshta spawn - Rule", "ESCU - Suspicious Regsvr32 Register Suspicious Path - Rule", "ESCU - Suspicious Rundll32 dllregisterserver - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Svchost LOLBAS Execution Process Spawn - Rule", "ESCU - Windows Binary Proxy Execution Mavinject DLL Injection - Rule", "ESCU - Windows COM Hijacking InprocServer32 Modification - Rule", "ESCU - Windows Diskshadow Proxy Execution - Rule", "ESCU - Windows DLL Search Order Hijacking Hunt - Rule", "ESCU - Windows DLL Search Order Hijacking Hunt with Sysmon - Rule", "ESCU - Windows DLL Search Order Hijacking with iscsicpl - Rule", "ESCU - Windows Identify Protocol Handlers - Rule", "ESCU - Windows Indirect Command Execution Via forfiles - Rule", "ESCU - Windows Indirect Command Execution Via pcalua - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows InstallUtil Remote Network Connection - Rule", "ESCU - Windows InstallUtil Uninstall Option - Rule", "ESCU - Windows InstallUtil Uninstall Option with Network - Rule", "ESCU - Windows InstallUtil URL in Command Line - Rule", "ESCU - Windows MOF Event Triggered Execution via WMI - Rule", "ESCU - Windows Odbcconf Hunting - Rule", "ESCU - Windows Odbcconf Load DLL - Rule", "ESCU - Windows Odbcconf Load Response File - Rule", "ESCU - Windows System Binary Proxy Execution Compiled HTML File Decompile - Rule", "ESCU - Windows System Script Proxy Execution Syncappvpublishingserver - Rule", "ESCU - Windows UAC Bypass Suspicious Child Process - Rule", "ESCU - Windows UAC Bypass Suspicious Escalation Behavior - Rule", "ESCU - WSReset UAC Bypass - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Lou Stella", "detections": [{"name": "BITS Job Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "BITS Jobs"}]}}, {"name": "BITSAdmin Download File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "BITS Jobs"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "CertUtil Download With VerifyCtl and Split Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Certutil exe certificate extraction", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "CertUtil With Decode Argument", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Deobfuscate/Decode Files or Information"}]}}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Control Loading from World Writable Directory", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Control Panel"}]}}, {"name": "Creation of Shadow Copy with wmic and powershell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Detect HTML Help Renamed", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}}, {"name": "Detect HTML Help Spawn Child Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}}, {"name": "Detect HTML Help URL in Command Line", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}}, {"name": "Detect HTML Help Using InfoTech Storage Handlers", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}}, {"name": "Detect mshta inline hta execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}, {"name": "Detect mshta renamed", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}, {"name": "Detect MSHTA Url in Command Line", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}, {"name": "Detect Regasm Spawning a Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}}, {"name": "Detect Regasm with Network Connection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}}, {"name": "Detect Regasm with no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}}, {"name": "Detect Regsvcs Spawning a Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}}, {"name": "Detect Regsvcs with Network Connection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}}, {"name": "Detect Regsvcs with No Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}}, {"name": "Detect Regsvr32 Application Control Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Detect Rundll32 Application Control Bypass - advpack", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Detect Rundll32 Application Control Bypass - setupapi", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Detect Rundll32 Application Control Bypass - syssetup", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Detect Rundll32 Inline HTA Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}, {"name": "Disable Schedule Task", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Esentutl SAM Copy", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Eventvwr UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Living Off The Land", "source": "endpoint", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "LOLBAS With Network Traffic", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}, {"mitre_attack_technique": "Exfiltration Over Web Service"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "MacOS LOLbin", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unix Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "MacOS plutil", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Plist File Modification"}]}}, {"name": "Mmc LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "MMC"}]}}, {"name": "Mshta spawning Rundll32 OR Regsvr32 Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}, {"name": "Ntdsutil Export NTDS", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Reg exe Manipulating Windows Services Registry Keys", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Remote WMI Command Attempt", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Rundll32 Control RunDLL Hunt", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Rundll32 Control RunDLL World Writable Directory", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Rundll32 Create Remote Thread To A Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Rundll32 CreateRemoteThread In Browser", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Rundll32 DNSQuery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Rundll32 Process Creating Exe Dll Files", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Rundll32 Shimcache Flush", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "RunDLL Loading DLL By Ordinal", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Schedule Task with HTTP Command Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Schedule Task with Rundll32 Command Trigger", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Scheduled Task Creation on Remote Endpoint using At", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "At"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Scheduled Task Initiation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Services LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Suspicious IcedID Rundll32 Cmdline", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Suspicious microsoft workflow compiler rename", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Suspicious microsoft workflow compiler usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}]}}, {"name": "Suspicious msbuild path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}}, {"name": "Suspicious MSBuild Rename", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}}, {"name": "Suspicious MSBuild Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "MSBuild"}]}}, {"name": "Suspicious mshta child process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}, {"name": "Suspicious mshta spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}, {"name": "Suspicious Regsvr32 Register Suspicious Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Suspicious Rundll32 dllregisterserver", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Svchost LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Windows Binary Proxy Execution Mavinject DLL Injection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Mavinject"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Windows COM Hijacking InprocServer32 Modification", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Component Object Model Hijacking"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Windows Diskshadow Proxy Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Windows DLL Search Order Hijacking Hunt", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Search Order Hijacking"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Windows DLL Search Order Hijacking Hunt with Sysmon", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Search Order Hijacking"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Windows DLL Search Order Hijacking with iscsicpl", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Search Order Hijacking"}]}}, {"name": "Windows Identify Protocol Handlers", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows Indirect Command Execution Via forfiles", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indirect Command Execution"}]}}, {"name": "Windows Indirect Command Execution Via pcalua", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indirect Command Execution"}]}}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}}, {"name": "Windows InstallUtil Remote Network Connection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Windows InstallUtil Uninstall Option", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Windows InstallUtil Uninstall Option with Network", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Windows InstallUtil URL in Command Line", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Windows MOF Event Triggered Execution via WMI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation Event Subscription"}]}}, {"name": "Windows Odbcconf Hunting", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Odbcconf"}]}}, {"name": "Windows Odbcconf Load DLL", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Odbcconf"}]}}, {"name": "Windows Odbcconf Load Response File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Odbcconf"}]}}, {"name": "Windows System Binary Proxy Execution Compiled HTML File Decompile", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compiled HTML File"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Windows System Script Proxy Execution Syncappvpublishingserver", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Script Proxy Execution"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Windows UAC Bypass Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}, {"mitre_attack_technique": "Bypass User Account Control"}]}}, {"name": "Windows UAC Bypass Suspicious Escalation Behavior", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}, {"mitre_attack_technique": "Bypass User Account Control"}]}}, {"name": "WSReset UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}]}, {"name": "Local Privilege Escalation With KrbRelayUp", "author": "Michael Haag, Mauricio Velazco, Splunk", "date": "2022-04-28", "version": 1, "id": "765790f0-2f8f-4048-8321-fd1928ec2546", "description": "KrbRelayUp is a tool that allows local privilege escalation from low-priviliged domain user to local system on domain-joined computers.", "narrative": "In October 2021, James Forshaw from Googles Project Zero released a research  blog post titled `Using Kerberos for Authentication Relay Attacks`. This research introduced, for the first time, ways to make Windows authenticate to a different Service Principal Name (SPN) than what would normally be derived from the hostname the client is connecting to. This effectively proved that relaying Kerberos authentication is possible\\\\. In April 2022, security researcher Mor Davidovich released a tool named KrbRelayUp which implements Kerberos relaying as well as other known Kerberos techniques with the goal of escalating privileges from a low-privileged domain user on a domain-joined device and obtain a SYSTEM shell.", "references": ["https://github.com/Dec0ne/KrbRelayUp", "https://gist.github.com/tothi/bf6c59d6de5d0c9710f23dae5750c4b9", "https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html", "https://dirkjanm.io/relaying-kerberos-over-dns-with-krbrelayx-and-mitm6/", "https://github.com/cube0x0/KrbRelay"], "tags": {"name": "Local Privilege Escalation With KrbRelayUp", "analytic_story": "Local Privilege Escalation With KrbRelayUp", "category": ["Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}], "mitre_attack_tactics": ["Credential Access", "Persistence", "Privilege Escalation"], "datamodels": ["Authentication", "Change"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Windows Computer Account Created by Computer Account - Rule", "ESCU - Windows Computer Account Requesting Kerberos Ticket - Rule", "ESCU - Windows Computer Account With SPN - Rule", "ESCU - Windows Kerberos Local Successful Logon - Rule", "ESCU - Windows KrbRelayUp Service Creation - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Mauricio Velazco, Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Computer Account Created by Computer Account", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}}, {"name": "Windows Computer Account Requesting Kerberos Ticket", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}}, {"name": "Windows Computer Account With SPN", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}}, {"name": "Windows Kerberos Local Successful Logon", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}}, {"name": "Windows KrbRelayUp Service Creation", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}]}}]}, {"name": "Log4Shell CVE-2021-44228", "author": "Jose Hernandez", "date": "2021-12-11", "version": 1, "id": "b4453928-5a98-11ec-afcd-8de10b48fc52", "description": "Log4Shell or CVE-2021-44228 is a Remote Code Execution (RCE) vulnerability in the Apache Log4j library, a widely used and ubiquitous logging framework for Java. The vulnerability allows an attacker who can control log messages to execute arbitrary code loaded from attacker-controlled servers and we anticipate that most apps using the Log4j library will meet this condition.", "narrative": "In late November 2021, Chen Zhaojun of Alibaba identified a remote code execution vulnerability. Previous work was seen in a 2016 Blackhat talk by Alvaro Munoz and Oleksandr Mirosh called [\"A Journey from JNDI/LDAP Manipulation to Remote Code Execution Dream Land\"](https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf). Reported under the CVE ID : CVE-2021-44228, released to the public on December 10, 2021. The vulnerability is exploited through improper deserialization of user input passed into the framework. It permits remote code execution and it can allow an attacker to leak sensitive data, such as environment variables, or execute malicious software on the target system.", "references": ["https://mbechler.github.io/2021/12/10/PSA_Log4Shell_JNDI_Injection/", "https://www.fastly.com/blog/digging-deeper-into-log4shell-0day-rce-exploit-found-in-log4j", "https://www.crowdstrike.com/blog/log4j2-vulnerability-analysis-and-mitigation-recommendations/", "https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://www.splunk.com/en_us/blog/security/log-jammin-log4j-2-rce.html"], "tags": {"name": "Log4Shell CVE-2021-44228", "analytic_story": "Log4Shell CVE-2021-44228", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Application Security", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}], "mitre_attack_tactics": ["Command And Control", "Execution", "Initial Access", "Persistence"], "datamodels": ["Endpoint", "Network_Traffic", "Risk", "Web"], "kill_chain_phases": ["Command And Control", "Delivery", "Installation"]}, "detection_names": ["ESCU - Any Powershell DownloadFile - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Curl Download and Bash Execution - Rule", "ESCU - Java Class File download by Java User Agent - Rule", "ESCU - Linux Java Spawning Shell - Rule", "ESCU - Log4Shell CVE-2021-44228 Exploitation - Rule", "ESCU - Outbound Network Connection from Java Using Default Ports - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - Wget Download and Bash Execution - Rule", "ESCU - Windows Java Spawning Shells - Rule", "ESCU - Detect Outbound LDAP Traffic - Rule", "ESCU - Hunting for Log4Shell - Rule", "ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", "ESCU - Log4Shell JNDI Payload Injection with Outbound Connection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "no", "author_name": "Jose Hernandez", "detections": [{"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Curl Download and Bash Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Java Class File download by Java User Agent", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}, {"name": "Linux Java Spawning Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Log4Shell CVE-2021-44228 Exploitation", "source": "endpoint", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Outbound Network Connection from Java Using Default Ports", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Wget Download and Bash Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Windows Java Spawning Shells", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Detect Outbound LDAP Traffic", "source": "network", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Hunting for Log4Shell", "source": "web", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Log4Shell JNDI Payload Injection Attempt", "source": "web", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Log4Shell JNDI Payload Injection with Outbound Connection", "source": "web", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}]}, {"name": "Malicious PowerShell", "author": "David Dorsey, Splunk", "date": "2017-08-23", "version": 5, "id": "2c8ff66e-0b57-42af-8ad7-912438a403fc", "description": "Attackers are finding stealthy ways \"live off the land,\" leveraging utilities and tools that come standard on the endpoint--such as PowerShell--to achieve their goals without downloading binary files. These searches can help you detect and investigate PowerShell command-line options that may be indicative of malicious intent.", "narrative": "The searches in this Analytic Story monitor for parameters often used for malicious purposes. It is helpful to understand how often the notable events generated by this story occur, as well as the commonalities between some of these events. These factors may provide clues about whether this is a common occurrence of minimal concern or a rare event that may require more extensive investigation. Likewise, it is important to determine whether the issue is restricted to a single user/system or is broader in scope. \\\nThe following factors may assist you in determining whether the event is malicious: \\\n1. Country of origin \\\n1. Responsible party \\\n1. Fully qualified domain names associated with the external IP address \\\n1. Registration of fully qualified domain names associated with external IP address \\\nDetermining whether it is a dynamic domain frequently visited by others and/or how third parties categorize it can also help you answer some questions surrounding the attacker and details related to the external system. In addition, there are various sources--such as VirusTotal&#151; that can provide some reputation information on the IP address or domain name, which can assist in determining whether the event is malicious. Finally, determining whether there are other events associated with the IP address may help connect data points or show other events that should be brought into scope. \\\nGathering data on the system of interest can sometimes help you quickly determine whether something suspicious is happening. Some of these items include finding out who else may have recently logged into the system, whether any unusual scheduled tasks exist, whether the system is communicating on suspicious ports, whether there are modifications to sensitive registry keys, and whether there are any known vulnerabilities on the system. This information can often highlight other activity commonly seen in attack scenarios or give more information about how the system may have been targeted. \\\nOften, a simple inspection of the process name and path can tell you if the system has been compromised. For example, if `svchost.exe` is found running from a location other than `C:\\Windows\\System32`, it is likely something malicious designed to hide in plain sight when cursorily reviewing process names. Similarly, if the process itself seems legitimate, but the parent process is running from the temporary browser cache, that could be indicative of activity initiated via a compromised website a user visited. \\\nIt can also be very helpful to examine various behaviors of the process of interest or the parent of the process of interest. For example, if it turns out the process of interest is malicious, it would be good to see if the parent to that process spawned other processes that might be worth further scrutiny. If a process is suspect, a review of the network connections made in and around the time of the event and/or whether the process spawned any child processes could be helpful, as well. \\\nIn the event a system is suspected of having been compromised via a malicious website, we suggest reviewing the browsing activity from that system around the time of the event. If categories are given for the URLs visited, that can help you zero in on possible malicious sites. \\\nMost recently we have added new content related to PowerShell Script Block logging, Windows EventCode 4104. Script block logging presents the deobfuscated and raw script executed on an endpoint. The analytics produced were tested against commonly used attack frameworks - PowerShell-Empire, Cobalt Strike and Covenant. In addition, we sampled publicly available samples that utilize PowerShell and validated coverage. The analytics are here to identify suspicious usage, cmdlets, or script values. 4104 events are enabled via the Windows registry and may generate a large volume of data if enabled globally. Enabling on critical systems or a limited set may be best. During triage of 4104 events, review parallel processes for other processes and command executed. Identify any file modifications and network communication and review accordingly. Fortunately, we get the full script to determine the level of threat identified.", "references": ["https://blogs.mcafee.com/mcafee-labs/malware-employs-powershell-to-infect-systems/", "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"], "tags": {"name": "Malicious PowerShell", "analytic_story": "Malicious PowerShell", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1021.006", "mitre_attack_technique": "Windows Remote Management", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Chimera", "FIN13", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1218.014", "mitre_attack_technique": "MMC", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1546.015", "mitre_attack_technique": "Component Object Model Hijacking", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1027.005", "mitre_attack_technique": "Indicator Removal from Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT3", "Deep Panda", "GALLIUM", "OilRig", "Patchwork", "TEMP.Veles", "Turla"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1027.011", "mitre_attack_technique": "Fileless Storage", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "Turla"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Defense Evasion", "Discovery", "Execution", "Lateral Movement", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command And Control", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - Suspicious Powershell Command-Line Arguments - Rule", "ESCU - Any Powershell DownloadFile - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - Detect Certify With PowerShell Script Block Logging - Rule", "ESCU - Detect Empire with PowerShell Script Block Logging - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - GetLocalUser with PowerShell Script Block - Rule", "ESCU - GetWmiObject User Account with PowerShell Script Block - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Malicious PowerShell Process With Obfuscation Techniques - Rule", "ESCU - Possible Lateral Movement PowerShell Spawn - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - Powershell COM Hijacking InprocServer32 Modification - Rule", "ESCU - Powershell Creating Thread Mutex - Rule", "ESCU - PowerShell Domain Enumeration - Rule", "ESCU - PowerShell Enable PowerShell Remoting - Rule", "ESCU - Powershell Enable SMB1Protocol Feature - Rule", "ESCU - Powershell Execute COM Object - Rule", "ESCU - Powershell Fileless Process Injection via GetProcAddress - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - PowerShell Invoke CIMMethod CIMSession - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Powershell Processing Stream Of Data - Rule", "ESCU - PowerShell Script Block With URL Chain - Rule", "ESCU - Powershell Using memory As Backing Store - Rule", "ESCU - PowerShell WebRequest Using Memory Stream - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - ServicePrincipalNames Discovery with PowerShell - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - Unloading AMSI via Reflection - Rule", "ESCU - WMI Recon Running Process Or Services - Rule"], "investigation_names": ["ESCU - Get History Of Email Sources - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Suspicious Powershell Command-Line Arguments", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}]}}, {"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Detect Certify With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Detect Empire with PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "GetLocalUser with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "GetWmiObject User Account with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}}, {"name": "Malicious PowerShell Process With Obfuscation Techniques", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Possible Lateral Movement PowerShell Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Remote Management"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "MMC"}]}}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Powershell COM Hijacking InprocServer32 Modification", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Component Object Model Hijacking"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Creating Thread Mutex", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "Indicator Removal from Tools"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "PowerShell Domain Enumeration", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "PowerShell Enable PowerShell Remoting", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Powershell Enable SMB1Protocol Feature", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "Indicator Removal from Tools"}]}}, {"name": "Powershell Execute COM Object", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Component Object Model Hijacking"}, {"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Fileless Process Injection via GetProcAddress", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "PowerShell Invoke CIMMethod CIMSession", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Processing Stream Of Data", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "PowerShell Script Block With URL Chain", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Powershell Using memory As Backing Store", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "PowerShell WebRequest Using Memory Stream", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}, {"mitre_attack_technique": "Fileless Storage"}]}}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}]}}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "ServicePrincipalNames Discovery with PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Unloading AMSI via Reflection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "WMI Recon Running Process Or Services", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}]}}]}, {"name": "Masquerading - Rename System Utilities", "author": "Michael Haag, Splunk", "date": "2021-04-26", "version": 1, "id": "f0258af4-a6ae-11eb-b3c2-acde48001122", "description": "Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities.", "narrative": "Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename rundll32.exe). An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths.\\\nThe following content is here to assist with binaries within `system32` or `syswow64` being moved to a new location or an adversary bringing a the binary in to execute.\\\nThere will be false positives as some native Windows processes are moved or ran by third party applications from different paths. If file names are mismatched between the file name on disk and that of the binarys PE metadata, this is a likely indicator that a binary was renamed after it was compiled. Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity. Do not focus on the possible names a file could have, but instead on the command-line arguments that are known to be used and are distinct because it will have a better rate of detection.", "references": ["https://attack.mitre.org/techniques/T1036/003/"], "tags": {"name": "Masquerading - Rename System Utilities", "analytic_story": "Masquerading - Rename System Utilities", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TEMP.Veles", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1127.001", "mitre_attack_technique": "MSBuild", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}], "mitre_attack_tactics": ["Defense Evasion", "Impact"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"]}, "detection_names": ["ESCU - Execution of File With Spaces Before Extension - Rule", "ESCU - Suspicious Rundll32 Rename - Rule", "ESCU - Execution of File with Multiple Extensions - Rule", "ESCU - Sdelete Application Execution - Rule", "ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Execution of File With Spaces Before Extension", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Suspicious Rundll32 Rename", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rundll32"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Execution of File with Multiple Extensions", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Sdelete Application Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Suspicious microsoft workflow compiler rename", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Suspicious msbuild path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}}, {"name": "Suspicious MSBuild Rename", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}}, {"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Windows DotNet Binary in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}}]}, {"name": "MetaSploit", "author": "Michael Haag, Splunk", "date": "2022-11-21", "version": 1, "id": "c149b694-bd08-4535-88d3-1f288a66313f", "description": "The following analytic story highlights content related directly to MetaSploit, which may be default configurations attributed to MetaSploit or behaviors of known knowns that are related.", "narrative": "The Metasploit framework is a very powerful tool which can be used by cybercriminals as well as ethical hackers to probe systematic vulnerabilities on networks and servers. Because it is an open-source framework, it can be easily customized and used with most operating systems.\\\nThe Metasploit Project was undertaken in 2003 by H.D. Moore for use as a Perl-based portable network tool, with assistance from core developer Matt Miller. It was fully converted to Ruby by 2007, and the license was acquired by Rapid7 in 2009, where it remains as part of the Boston-based company repertoire of IDS signature development and targeted remote exploit, fuzzing, anti-forensic, and evasion tools.\\\nPortions of these other tools reside within the Metasploit framework, which is built into the Kali Linux OS. Rapid7 has also developed two proprietary OpenCore tools, Metasploit Pro, Metasploit Express.\\\nThis framework has become the go-to exploit development and mitigation tool. Prior to Metasploit, pen testers had to perform all probes manually by using a variety of tools that may or may not have supported the platform they were testing, writing their own code by hand, and introducing it onto networks manually. Remote testing was virtually unheard of, and that limited a security specialist reach to the local area and companies spending a fortune on in-house IT or security consultants. (ref. Varonis)", "references": ["https://github.com/rapid7/metasploit-framework", "https://www.varonis.com/blog/what-is-metasploit"], "tags": {"name": "MetaSploit", "analytic_story": "MetaSploit", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Execution"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation"]}, "detection_names": ["ESCU - Powershell Load Module in Meterpreter - Rule", "ESCU - Windows Apache Benchmark Binary - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Powershell Load Module in Meterpreter", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Windows Apache Benchmark Binary", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}]}, {"name": "Meterpreter", "author": "Michael Hart", "date": "2021-06-08", "version": 1, "id": "d5f8e298-c85a-11eb-9fea-acde48001122", "description": "Meterpreter provides red teams, pen testers and threat actors interactive access to a compromised host to run commands, upload payloads, download files, and other actions.", "narrative": "This Analytic Story supports you to detect Tactics, Techniques and Procedures (TTPs) from Meterpreter. Meterpreter is a Metasploit payload for remote execution that leverages DLL injection to make it extremely difficult to detect.  Since the software runs in memory, no new processes are created upon injection.  It also leverages encrypted communication channels.\\\nMeterpreter enables the operator to remotely run commands on the target machine, upload payloads, download files, dump password hashes, and much more.  It is difficult to determine from the forensic evidence what actions the operator performed.  Splunk Research, however, has observed anomalous behaviors on the compromised hosts that seem to only appear when Meterpreter is executing various commands.  With that, we have written new detections targeted to these detections.\\\nWhile investigating a detection related to this analytic story, please bear in mind that the detections look for anomalies in system behavior.  It will be imperative to look for other signs in the endpoint and network logs for lateral movement, discovery and other actions to confirm that the host was compromised and a remote actor used it to progress on their objectives.", "references": ["https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/", "https://doubleoctopus.com/security-wiki/threats-and-tools/meterpreter/", "https://www.rapid7.com/products/metasploit/"], "tags": {"name": "Meterpreter", "analytic_story": "Meterpreter", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}], "mitre_attack_tactics": ["Execution"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation"]}, "detection_names": ["ESCU - Excessive distinct processes from Windows Temp - Rule", "ESCU - Excessive number of taskhost processes - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "no", "author_name": "Michael Hart", "detections": [{"name": "Excessive distinct processes from Windows Temp", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Excessive number of taskhost processes", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}]}, {"name": "Microsoft MSHTML Remote Code Execution CVE-2021-40444", "author": "Michael Haag, Splunk", "date": "2021-09-08", "version": 1, "id": "4ad4253e-10ca-11ec-8235-acde48001122", "description": "CVE-2021-40444 is a remote code execution vulnerability in MSHTML, recently used to delivery targeted spearphishing documents.", "narrative": "Microsoft is aware of targeted attacks that attempt to exploit this vulnerability, CVE-2021-40444 by using specially-crafted Microsoft Office documents. MSHTML is a software component used to render web pages on Windows. Although it is 2019s most commonly associated with Internet Explorer, it is also used in other software.  CVE-2021-40444 received a CVSS score of 8.8 out of 10. MSHTML is the beating heart of Internet Explorer, the vulnerability also exists in that browser. Although given its limited use, there is little risk of infection by that vector. Microsoft Office applications use the MSHTML component to display web content in Office documents. The attack depends on MSHTML loading a specially crafted ActiveX control when the target opens a malicious Office document. The loaded ActiveX control can then run arbitrary code to infect the system with more malware. At the moment all supported Windows versions are vulnerable. Since there is no patch available yet, Microsoft proposes a few methods to block these attacks. \\\n1. Disable the installation of all ActiveX controls in Internet Explorer via the registry. Previously-installed ActiveX controls will still run, but no new ones will be added, including malicious ones. Open documents from the Internet in Protected View or Application Guard for Office, both of which prevent the current attack. This is a default setting but it may have been changed.", "references": ["https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/windows-mshtml-zero-day-actively-exploited-mitigations-required/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", "https://www.echotrail.io/insights/search/control.exe"], "tags": {"name": "Microsoft MSHTML Remote Code Execution CVE-2021-40444", "analytic_story": "Microsoft MSHTML Remote Code Execution CVE-2021-40444", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.002", "mitre_attack_technique": "Control Panel", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Ember Bear"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}], "mitre_attack_tactics": ["Defense Evasion", "Initial Access"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Exploitation"]}, "detection_names": ["ESCU - Control Loading from World Writable Directory - Rule", "ESCU - MSHTML Module Load in Office Product - Rule", "ESCU - Office Product Writing cab or inf - Rule", "ESCU - Office Spawning Control - Rule", "ESCU - Rundll32 Control RunDLL Hunt - Rule", "ESCU - Rundll32 Control RunDLL World Writable Directory - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Control Loading from World Writable Directory", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Control Panel"}]}}, {"name": "MSHTML Module Load in Office Product", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Writing cab or inf", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Spawning Control", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Rundll32 Control RunDLL Hunt", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Rundll32 Control RunDLL World Writable Directory", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}]}, {"name": "Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357", "author": "Michael Haag, Gowthamaraj Rajendran, Splunk", "date": "2023-09-27", "version": 1, "id": "95ae800d-485e-47f7-866e-8be281aa497d", "description": "This analytic story focuses on the Microsoft SharePoint Server vulnerability CVE-2023-29357, which allows for an elevation of privilege due to improper handling of authentication tokens. Exploitation of this vulnerability could lead to a serious security breach where an attacker might gain privileged access to the SharePoint environment, potentially leading to data theft or other malicious activities. This story is associated with the detection `Microsoft SharePoint Server Elevation of Privilege` which identifies attempts to exploit this vulnerability.", "narrative": "Microsoft SharePoint Server is a widely used web-based collaborative platform. The vulnerability CVE-2023-29357 exposes a flaw in the handling of authentication tokens, allowing an attacker to escalate privileges and gain unauthorized access to the SharePoint environment. This could potentially lead to data theft, unauthorized system modifications, or other malicious activities. Organizations are urged to apply immediate patches and conduct regular system assessments to ensure security.", "references": ["https://socradar.io/microsoft-sharepoint-server-elevation-of-privilege-vulnerability-exploit-cve-2023-29357/", "https://github.com/Chocapikk/CVE-2023-29357"], "tags": {"name": "Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357", "analytic_story": "Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357", "category": ["Vulnerability", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Privilege Escalation"], "datamodels": ["Web"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Microsoft SharePoint Server Elevation of Privilege - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Gowthamaraj Rajendran, Splunk", "author_name": "Michael Haag", "detections": [{"name": "Microsoft SharePoint Server Elevation of Privilege", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}]}, {"name": "Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190", "author": "Michael Haag, Teoderick Contreras, Splunk", "date": "2022-05-31", "version": 1, "id": "2a60a99e-c93a-4036-af70-768fac838019", "description": "On Monday May 30, 2022, Microsoft issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability.", "narrative": "A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user''s rights.", "references": ["https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/", "https://isc.sans.edu/diary/rss/28694", "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", "https://twitter.com/nao_sec/status/1530196847679401984?s=20&t=ZiXYI4dQuA-0_dzQzSUb3A", "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://www.virustotal.com/gui/file/4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784/detection", "https://strontic.github.io/xcyclopedia/library/msdt.exe-152D4C9F63EFB332CCB134C6953C0104.html"], "tags": {"name": "Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190", "analytic_story": "Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Initial Access"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Windows Command and Scripting Interpreter Hunting Path Traversal - Rule", "ESCU - Windows Command and Scripting Interpreter Path Traversal Exec - Rule", "ESCU - Windows Execute Arbitrary Commands with MSDT - Rule", "ESCU - Windows Office Product Spawning MSDT - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Teoderick Contreras, Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Command and Scripting Interpreter Hunting Path Traversal", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows Command and Scripting Interpreter Path Traversal Exec", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows Execute Arbitrary Commands with MSDT", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Windows Office Product Spawning MSDT", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}]}, {"name": "Monitor for Updates", "author": "Rico Valdez, Splunk", "date": "2017-09-15", "version": 1, "id": "9ef8d677-7b52-4213-a038-99cfc7acc2d8", "description": "Monitor your enterprise to ensure that your endpoints are being patched and updated. Adversaries notoriously exploit known vulnerabilities that could be mitigated by applying routine security patches.", "narrative": "It is a common best practice to ensure that endpoints are being patched and updated in a timely manner, in order to reduce the risk of compromise via a publicly disclosed vulnerability. Timely application of updates/patches is important to eliminate known vulnerabilities that may be exploited by various threat actors.\\\nSearches in this analytic story are designed to help analysts monitor endpoints for system patches and/or updates. This helps analysts identify any systems that are not successfully updated in a timely matter.\\\nMicrosoft releases updates for Windows systems on a monthly cadence. They should be installed as soon as possible after following internal testing and validation procedures. Patches and updates for other systems or applications are typically released as needed.", "references": ["https://learn.cisecurity.org/20-controls-download"], "tags": {"name": "Monitor for Updates", "analytic_story": "Monitor for Updates", "category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Compliance", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Updates"], "kill_chain_phases": []}, "detection_names": ["ESCU - No Windows Updates in a time frame - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": ["ESCU - Windows Updates Install Failures", "ESCU - Windows Updates Install Successes"], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "No Windows Updates in a time frame", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "MOVEit Transfer Critical Vulnerability", "author": "Michael Haag, Splunk", "date": "2023-06-01", "version": 1, "id": "e8c05f9b-6ad4-45ac-8f5d-ff044da417c9", "description": "A critical zero-day vulnerability has been discovered in the MOVEit Transfer file transfer software, widely used by businesses and developers worldwide. The vulnerability has been exploited by unknown threat actors to perform mass data theft from organizations. Progress Software Corporation, the developer of MOVEit, has issued a security advisory urging customers to take immediate action to protect their environments. They recommend blocking external traffic to ports 80 and 445 on the MOVEit server, and to check the c:\\MOVEitTransfer\\wwwroot\\ folder for unusual files. A patch is currently released.", "narrative": "Hackers have been actively exploiting a zero-day vulnerability found in the MOVEit Transfer software. This software, developed by Progress Software Corporation, a US-based company and its subsidiary Ipswitch, is a managed file transfer solution. It is used by thousands of organizations worldwide, including Chase, Disney, GEICO, and MLB, and by 3.5 million developers. The software allows for secure file transfers between business partners and customers using SFTP, SCP, and HTTP-based uploads.\\\nThe zero-day vulnerability has been exploited to steal data on a large scale from various organizations. The identity of the threat actors and the exact timeline of the exploitation remains unclear. However, it has been confirmed that multiple organizations have experienced breaches and data theft.\\\nIn response to this critical situation, Progress released a security advisory warning customers of the vulnerability and providing mitigation strategies while a patch has been released. They urged customers to take immediate action to protect their MOVEit environments. They suggested blocking external traffic to ports 80 and 445 on the MOVEit server and checking the c:\\MOVEitTransfer\\wwwroot\\ folder for unexpected files, including backups or large file downloads.\\\nBlocking these ports will prevent external access to the web UI, prevent some MOVEit Automation tasks from working, block APIs, and prevent the Outlook MOVEit plugin from working. However, SFTP and FTP/s protocols can continue to be used for file transfers.\\\nThere is currently no detailed information about the zero-day vulnerability. But based on the ports blocked and the specific location to check for unusual files, the flaw is likely a web-facing vulnerability.\\\nWhile Progress has officially confirmed that the vulnerability is being actively exploited, it is clear from several reports that multiple organizations have already had data stolen using this zero-day vulnerability. The exploitation appears very similar to the mass exploitation of a GoAnywhere MFT zero-day in January 2023 and the December 2020 zero-day exploitation of Accellion FTA servers. These were both managed file transfer platforms heavily exploited by the Clop ransomware gang to steal data and extort organizations.", "references": ["https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023", "https://www.reddit.com/r/sysadmin/comments/13wxuej/critical_vulnerability_moveit_file_transfer/", "https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/", "https://www.reddit.com/r/sysadmin/comments/13wxuej/critical_vulnerability_moveit_file_transfer/", "https://gist.github.com/MHaggis/faa672b1929a23fc48fc0ee47585cc48"], "tags": {"name": "MOVEit Transfer Critical Vulnerability", "analytic_story": "MOVEit Transfer Critical Vulnerability", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}], "mitre_attack_tactics": ["Initial Access", "Persistence"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Installation"]}, "detection_names": ["ESCU - Windows MOVEit Transfer Writing ASPX - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows MOVEit Transfer Writing ASPX", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}]}, {"name": "Netsh Abuse", "author": "Bhavin Patel, Splunk", "date": "2017-01-05", "version": 1, "id": "2b1800dd-92f9-47ec-a981-fdf1351e5f65", "description": "Detect activities and various techniques associated with the abuse of `netsh.exe`, which can disable local firewall settings or set up a remote connection to a host from an infected system.", "narrative": "It is a common practice for attackers of all types to leverage native Windows tools and functionality to execute commands for malicious reasons. One such tool on Windows OS is `netsh.exe`,a command-line scripting utility that allows you to--either locally or remotely--display or modify the network configuration of a computer that is currently running. `Netsh.exe` can be used to discover and disable local firewall settings. It can also be used to set up a remote connection to a host from an infected system.\\\nTo get started, run the detection search to identify parent processes of `netsh.exe`.", "references": ["https://docs.microsoft.com/en-us/previous-versions/tn-archive/bb490939(v=technet.10)", "https://htmlpreview.github.io/?https://github.com/MatthewDemaske/blogbackup/blob/master/netshell.html", "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html"], "tags": {"name": "Netsh Abuse", "analytic_story": "Netsh Abuse", "category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}], "mitre_attack_tactics": ["Defense Evasion", "Discovery", "Execution", "Impact"], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Processes created by netsh - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": ["ESCU - Baseline of SMB Traffic - MLTK", "ESCU - Previously seen command line arguments"], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Processes created by netsh", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify System Firewall"}]}}, {"name": "Processes launching netsh", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "System Network Connections Discovery"}, {"mitre_attack_technique": "System Owner/User Discovery"}, {"mitre_attack_technique": "System Shutdown/Reboot"}, {"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}]}, {"name": "Network Discovery", "author": "Teoderick Contreras, Splunk", "date": "2022-02-14", "version": 1, "id": "af228995-f182-49d7-90b3-2a732944f00f", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the network discovery, including looking for network configuration, settings such as IP, MAC address, firewall settings and many more.", "narrative": "Adversaries may use the information from System Network Configuration Discovery during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next.", "references": ["https://attack.mitre.org/techniques/T1016/", "https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf", "https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/"], "tags": {"name": "Network Discovery", "analytic_story": "Network Discovery", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}], "mitre_attack_tactics": ["Discovery"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Linux System Network Discovery - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux System Network Discovery", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Configuration Discovery"}]}}]}, {"name": "NjRAT", "author": "Teoderick Contreras, Splunk", "date": "2023-09-07", "version": 2, "id": "f6d52454-6cf3-4759-9627-5868a3e2b2b1", "description": "NjRat is a notorious remote access trojan (RAT) predominantly wielded by malicious operators to infiltrate and wield remote control over compromised systems. This analytical story harnesses targeted search methodologies to uncover and investigate activities that could be indicative of NjRAT's presence. These activities include tracking file write operations for dropped files, scrutinizing registry modifications aimed at establishing persistence mechanisms, monitoring suspicious processes, self-deletion behaviors, browser credential parsing, firewall configuration alterations, spread itself via removable drive and an array of other potentially malicious actions.", "narrative": "NjRat is also known as Bladabindi malware that was first discovered in the wild in 2012. Since then this malware remain active and uses different campaign to spred its malware. While its primary infection vectors are phishing attacks and drive-by downloads, it also has \"worm\" capability to spread itself via infected removable drives. This RAT has various of capabilities including keylogging, webcam access, browser credential parsing, file upload and downloads, file and process list, service list, shell command execution, registry modification, screen capture, view the desktop of the infected computer and many more. NjRat does not target any industry in particular, but attacking a wide variety of individuals and organizations to gather sensitive information.", "references": ["https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/what-is-njrat-malware/#:~:text=NJRat%20%E2%80%94%20also%20known%20as%20Bladabindi,malware%20variant%20in%20March%202023.", "https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat"], "tags": {"name": "NjRAT", "analytic_story": "NjRAT", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1562.007", "mitre_attack_technique": "Disable or Modify Cloud Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1102", "mitre_attack_technique": "Web Service", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT32", "EXOTIC LILY", "Ember Bear", "FIN6", "FIN8", "Fox Kitten", "Gamaredon Group", "Inception", "LazyScripter", "Mustang Panda", "Rocke", "TeamTNT", "Turla"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}, {"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "Volt Typhoon", "ZIRCONIUM"]}, {"mitre_attack_id": "T1129", "mitre_attack_technique": "Shared Modules", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1027.011", "mitre_attack_technique": "Fileless Storage", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "Turla"]}, {"mitre_attack_id": "T1561.002", "mitre_attack_technique": "Disk Structure Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1561", "mitre_attack_technique": "Disk Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1091", "mitre_attack_technique": "Replication Through Removable Media", "mitre_attack_tactics": ["Initial Access", "Lateral Movement"], "mitre_attack_groups": ["APT28", "Aoqin Dragon", "Darkhotel", "FIN7", "LuminousMoth", "Mustang Panda", "Tropic Trooper"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1497", "mitre_attack_technique": "Virtualization/Sandbox Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": ["Darkhotel"]}, {"mitre_attack_id": "T1497.003", "mitre_attack_technique": "Time Based Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1134.004", "mitre_attack_technique": "Parent PID Spoofing", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Defense Evasion", "Discovery", "Execution", "Impact", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule", "ESCU - Allow Network Discovery In Firewall - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Disable Registry Tool - Rule", "ESCU - Disabling CMD Application - Rule", "ESCU - Disabling SystemRestore In Registry - Rule", "ESCU - Disabling Task Manager - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Firewall Allowed Program Enable - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Application Spawn rundll32 process - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Document Spawned Child Process To Download - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning MSHTA - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Windows Abused Web Services - Rule", "ESCU - Windows Admin Permission Discovery - Rule", "ESCU - Windows Boot or Logon Autostart Execution In Startup Folder - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows Delete or Modify System Firewall - Rule", "ESCU - Windows Disable or Modify Tools Via Taskkill - Rule", "ESCU - Windows Executable in Loaded Modules - Rule", "ESCU - Windows Njrat Fileless Storage via Registry - Rule", "ESCU - Windows Modify Registry With MD5 Reg Key Name - Rule", "ESCU - Windows Modify System Firewall with Notable Process Path - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Windows Replication Through Removable Media - Rule", "ESCU - Windows System LogOff Commandline - Rule", "ESCU - Windows System Reboot CommandLine - Rule", "ESCU - Windows System Shutdown CommandLine - Rule", "ESCU - Windows Time Based Evasion - Rule", "ESCU - Windows Unsigned DLL Side-Loading - Rule", "ESCU - Windows User Execution Malicious URL Shortcut File - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Allow Inbound Traffic By Firewall Rule Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "Allow Network Discovery In Firewall", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Disable Registry Tool", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Disabling CMD Application", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Disabling SystemRestore In Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Disabling Task Manager", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Excessive Usage Of Taskkill", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Firewall Allowed Program Enable", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}}, {"name": "Office Application Spawn rundll32 process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Document Spawned Child Process To Download", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning MSHTA", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Windows Abused Web Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Web Service"}]}}, {"name": "Windows Admin Permission Discovery", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Local Groups"}]}}, {"name": "Windows Boot or Logon Autostart Execution In Startup Folder", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows Delete or Modify System Firewall", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Disable or Modify System Firewall"}]}}, {"name": "Windows Disable or Modify Tools Via Taskkill", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Disable or Modify Tools"}]}}, {"name": "Windows Executable in Loaded Modules", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Shared Modules"}]}}, {"name": "Windows Njrat Fileless Storage via Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Fileless Storage"}, {"mitre_attack_technique": "Obfuscated Files or Information"}]}}, {"name": "Windows Modify Registry With MD5 Reg Key Name", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify System Firewall with Notable Process Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}}, {"name": "Windows Replication Through Removable Media", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Replication Through Removable Media"}]}}, {"name": "Windows System LogOff Commandline", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}}, {"name": "Windows System Reboot CommandLine", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}}, {"name": "Windows System Shutdown CommandLine", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}}, {"name": "Windows Time Based Evasion", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Virtualization/Sandbox Evasion"}, {"mitre_attack_technique": "Time Based Evasion"}]}}, {"name": "Windows Unsigned DLL Side-Loading", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Side-Loading"}]}}, {"name": "Windows User Execution Malicious URL Shortcut File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Malicious File"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "Wscript Or Cscript Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Parent PID Spoofing"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}]}, {"name": "NOBELIUM Group", "author": "Patrick Bareiss, Michael Haag, Splunk", "date": "2020-12-14", "version": 2, "id": "758196b5-2e21-424f-a50c-6e421ce926c2", "description": "Sunburst is a trojanized updates to SolarWinds Orion IT monitoring and management software. It was discovered by FireEye in December 2020. The actors behind this campaign gained access to numerous public and private organizations around the world.", "narrative": "This Analytic Story supports you to detect Tactics, Techniques and Procedures (TTPs) of the NOBELIUM Group. The threat actor behind sunburst compromised the SolarWinds.Orion.Core.BusinessLayer.dll, is a SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that communicates via HTTP to third party servers. The detections in this Analytic Story are focusing on the dll loading events, file create events and network events to detect This malware.", "references": ["https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/", "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/"], "tags": {"name": "NOBELIUM Group", "analytic_story": "NOBELIUM Group", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN13", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA2541", "TA551"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1203", "mitre_attack_technique": "Exploitation for Client Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT12", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT41", "Andariel", "Aoqin Dragon", "Axiom", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "Higaisa", "Inception", "Lazarus Group", "Leviathan", "MuddyWater", "Mustang Panda", "Patchwork", "Sandworm Team", "Sidewinder", "TA459", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "admin@338"]}, {"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1071.002", "mitre_attack_technique": "File Transfer Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Dragonfly", "Kimsuky", "SilverTerrier"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Magic Hound", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "MoustachedBouncer", "POLONIUM", "Sandworm Team", "Turla", "Volt Typhoon", "Windigo"]}, {"mitre_attack_id": "T1090.003", "mitre_attack_technique": "Multi-hop Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT28", "APT29", "FIN4", "Inception", "Leviathan"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}], "mitre_attack_tactics": ["Collection", "Command And Control", "Defense Evasion", "Discovery", "Execution", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Network_Traffic", "Web"], "kill_chain_phases": ["Command And Control", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Anomalous usage of 7zip - Rule", "ESCU - Detect Prohibited Applications Spawning cmd exe - Rule", "ESCU - Detect Rundll32 Inline HTA Execution - Rule", "ESCU - First Time Seen Running Windows Service - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Sunburst Correlation DLL and Network Event - Rule", "ESCU - Windows AdFind Exe - Rule", "ESCU - Detect Outbound SMB Traffic - Rule", "ESCU - TOR Traffic - Rule", "ESCU - Supernova Webshell - Rule"], "investigation_names": [], "baseline_names": ["ESCU - Previously Seen Running Windows Services - Initial", "ESCU - Previously Seen Running Windows Services - Update"], "author_company": "Michael Haag, Splunk", "author_name": "Patrick Bareiss", "detections": [{"name": "Anomalous usage of 7zip", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}}, {"name": "Detect Prohibited Applications Spawning cmd exe", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}]}}, {"name": "Detect Rundll32 Inline HTA Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}, {"name": "First Time Seen Running Windows Service", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Sunburst Correlation DLL and Network Event", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Client Execution"}]}}, {"name": "Windows AdFind Exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Detect Outbound SMB Traffic", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File Transfer Protocols"}, {"mitre_attack_technique": "Application Layer Protocol"}]}}, {"name": "TOR Traffic", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Multi-hop Proxy"}]}}, {"name": "Supernova Webshell", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "External Remote Services"}]}}]}, {"name": "Office 365 Account Takeover", "author": "Mauricio Velazco, Patrick Bareiss, Splunk", "date": "2023-10-17", "version": 1, "id": "7dcea963-af44-4db7-a5b9-fd2b543d9bc9", "description": "Monitor for activities and anomalies indicative of initial access techniques within Office 365 environments.", "narrative": "Office 365 (O365) is Microsoft's cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. O365's centralized storage of sensitive data and widespread adoption make it a key asset, yet also a prime target for security threats. The \"Office 365 Account Takeover\" analytic story focuses on the initial techniques attackers employ to breach or compromise these identities. Initial access, in this context, consists of techniques that use various entry vectors to gain their initial foothold . Identifying these early indicators is crucial for establishing the first line of defense against unauthorized access and potential security incidents within O365 environments.", "references": ["https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes", "https://attack.mitre.org/tactics/TA0001/", "https://stealthbits.com/blog/bypassing-mfa-with-pass-the-cookie/", "https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth", "https://www.alteredsecurity.com/post/introduction-to-365-stealer", "https://github.com/AlteredSecurity/365-Stealer"], "tags": {"name": "Office 365 Account Takeover", "analytic_story": "Office 365 Account Takeover", "category": ["Adversary Tactics", "Account Compromise", "Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.001", "mitre_attack_technique": "Password Guessing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1185", "mitre_attack_technique": "Browser Session Hijacking", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1528", "mitre_attack_technique": "Steal Application Access Token", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$", "Scattered Spider"]}], "mitre_attack_tactics": ["Collection", "Credential Access", "Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation", "Resource Development"], "datamodels": ["Authentication", "Risk"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"]}, "detection_names": ["ESCU - High Number of Login Failures from a single source - Rule", "ESCU - O365 Block User Consent For Risky Apps Disabled - Rule", "ESCU - O365 Concurrent Sessions From Different Ips - Rule", "ESCU - O365 Excessive Authentication Failures Alert - Rule", "ESCU - O365 Excessive SSO logon errors - Rule", "ESCU - O365 File Permissioned Application Consent Granted by User - Rule", "ESCU - O365 High Number Of Failed Authentications for User - Rule", "ESCU - O365 Mail Permissioned Application Consent Granted by User - Rule", "ESCU - O365 Multi-Source Failed Authentications Spike - Rule", "ESCU - O365 Multiple AppIDs and UserAgents Authentication Spike - Rule", "ESCU - O365 Multiple Failed MFA Requests For User - Rule", "ESCU - O365 Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - O365 User Consent Blocked for Risky Application - Rule", "ESCU - O365 User Consent Denied for OAuth Application - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Patrick Bareiss, Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "High Number of Login Failures from a single source", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Guessing"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "O365 Block User Consent For Risky Apps Disabled", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "O365 Concurrent Sessions From Different Ips", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Browser Session Hijacking"}]}}, {"name": "O365 Excessive Authentication Failures Alert", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}]}}, {"name": "O365 Excessive SSO logon errors", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Authentication Process"}]}}, {"name": "O365 File Permissioned Application Consent Granted by User", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal Application Access Token"}]}}, {"name": "O365 High Number Of Failed Authentications for User", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}]}}, {"name": "O365 Mail Permissioned Application Consent Granted by User", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal Application Access Token"}]}}, {"name": "O365 Multi-Source Failed Authentications Spike", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}}, {"name": "O365 Multiple AppIDs and UserAgents Authentication Spike", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "O365 Multiple Failed MFA Requests For User", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}}, {"name": "O365 Multiple Users Failing To Authenticate From Ip", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}}, {"name": "O365 User Consent Blocked for Risky Application", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal Application Access Token"}]}}, {"name": "O365 User Consent Denied for OAuth Application", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal Application Access Token"}]}}]}, {"name": "Office 365 Persistence Mechanisms", "author": "Mauricio Velazco, Patrick Bareiss, Splunk", "date": "2023-10-17", "version": 1, "id": "d230a106-0475-4605-a8d8-abaf4c31ced7", "description": "Monitor for activities and anomalies indicative of potential persistence techniques within Office 365 environments.", "narrative": "Office 365 (O365) is Microsoft's cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. O365's centralized storage of sensitive data and widespread adoption make it a key asset, yet also a prime target for security threats. The \"Office 365 Persistence Mechanisms\" analytic story delves into the tactics and techniques attackers employ to maintain prolonged unauthorized access within the O365 environment. Persistence in this context refers to methods used by adversaries to keep their foothold after an initial compromise. This can involve actions like modifying mailbox rules, establishing covert forwarding rules, manipulating application permissions. By monitoring signs of persistence, organizations can effectively detect and respond to stealthy threats, thereby protecting their O365 assets and data.", "references": ["https://attack.mitre.org/tactics/TA0003/", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", "https://blog.sygnia.co/detection-and-hunting-of-golden-saml-attack?hsLang=en", "https://www.mandiant.com/sites/default/files/2022-08/remediation-hardening-strategies-for-m365-defend-against-apt29-white-paper.pdf", "https://www.csoonline.com/article/570381/microsoft-365-advanced-audit-what-you-need-to-know.html", "https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/overview-assign-app-owners", "https://i.blackhat.com/USA-20/Thursday/us-20-Bienstock-My-Cloud-Is-APTs-Cloud-Investigating-And-Defending-Office-365.pdf"], "tags": {"name": "Office 365 Persistence Mechanisms", "analytic_story": "Office 365 Persistence Mechanisms", "category": ["Adversary Tactics", "Account Compromise", "Cloud Security", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1562.008", "mitre_attack_technique": "Disable or Modify Cloud Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1098.002", "mitre_attack_technique": "Additional Email Delegate Permissions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "Magic Hound"]}, {"mitre_attack_id": "T1562.007", "mitre_attack_technique": "Disable or Modify Cloud Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1098.003", "mitre_attack_technique": "Additional Cloud Roles", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}, {"mitre_attack_id": "T1114.002", "mitre_attack_technique": "Remote Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "Chimera", "Dragonfly", "FIN4", "HAFNIUM", "Ke3chang", "Kimsuky", "Leafminer", "Magic Hound"]}, {"mitre_attack_id": "T1098.005", "mitre_attack_technique": "Device Registration", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1098.001", "mitre_attack_technique": "Additional Cloud Credentials", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1114.003", "mitre_attack_technique": "Email Forwarding Rule", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Kimsuky", "LAPSUS$", "Silent Librarian"]}], "mitre_attack_tactics": ["Collection", "Credential Access", "Defense Evasion", "Persistence", "Privilege Escalation"], "datamodels": ["Authentication", "Change"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - O365 Add App Role Assignment Grant User - Rule", "ESCU - O365 Added Service Principal - Rule", "ESCU - O365 Advanced Audit Disabled - Rule", "ESCU - O365 Application Registration Owner Added - Rule", "ESCU - O365 ApplicationImpersonation Role Assigned - Rule", "ESCU - O365 Bypass MFA via Trusted IP - Rule", "ESCU - O365 Disable MFA - Rule", "ESCU - O365 High Privilege Role Granted - Rule", "ESCU - O365 Mailbox Inbox Folder Shared with All Users - Rule", "ESCU - O365 Mailbox Read Access Granted to Application - Rule", "ESCU - O365 New Federated Domain Added - Rule", "ESCU - O365 New MFA Method Registered - Rule", "ESCU - O365 PST export alert - Rule", "ESCU - O365 Service Principal New Client Credentials - Rule", "ESCU - O365 Suspicious Admin Email Forwarding - Rule", "ESCU - O365 Suspicious Rights Delegation - Rule", "ESCU - O365 Suspicious User Email Forwarding - Rule", "ESCU - O365 Tenant Wide Admin Consent Granted - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Patrick Bareiss, Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "O365 Add App Role Assignment Grant User", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "O365 Added Service Principal", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "O365 Advanced Audit Disabled", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Disable or Modify Cloud Logs"}]}}, {"name": "O365 Application Registration Owner Added", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "O365 ApplicationImpersonation Role Assigned", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Email Delegate Permissions"}]}}, {"name": "O365 Bypass MFA via Trusted IP", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "O365 Disable MFA", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Authentication Process"}]}}, {"name": "O365 High Privilege Role Granted", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}}, {"name": "O365 Mailbox Inbox Folder Shared with All Users", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Email Collection"}, {"mitre_attack_technique": "Remote Email Collection"}]}}, {"name": "O365 Mailbox Read Access Granted to Application", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Email Collection"}, {"mitre_attack_technique": "Email Collection"}, {"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}}, {"name": "O365 New Federated Domain Added", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "O365 New MFA Method Registered", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Device Registration"}]}}, {"name": "O365 PST export alert", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Email Collection"}]}}, {"name": "O365 Service Principal New Client Credentials", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Credentials"}]}}, {"name": "O365 Suspicious Admin Email Forwarding", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Email Forwarding Rule"}, {"mitre_attack_technique": "Email Collection"}]}}, {"name": "O365 Suspicious Rights Delegation", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Email Collection"}, {"mitre_attack_technique": "Email Collection"}, {"mitre_attack_technique": "Additional Email Delegate Permissions"}, {"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "O365 Suspicious User Email Forwarding", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Email Forwarding Rule"}, {"mitre_attack_technique": "Email Collection"}]}}, {"name": "O365 Tenant Wide Admin Consent Granted", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}}]}, {"name": "Okta MFA Exhaustion", "author": "Michael Haag, Splunk", "date": "2022-09-27", "version": 1, "id": "7c6e508d-4b4d-42c8-82de-5ff4ea3b0cb3", "description": "A social engineering technique called 'MFA Fatigue', aka 'MFA push spam' or 'MFA Exhaustion', is growing more popular with threat actors as it does not require malware or phishing infrastructure and has proven to be successful in attacks.", "narrative": "An MFA Fatigue attack is when a threat actor runs a script that attempts to log in with stolen credentials over and over, causing what feels like an endless stream of MFA push requests to be sent to the account's owner's mobile device. The goal is to keep this up, day and night, to break down the target's cybersecurity posture and inflict a sense of \"fatigue\" regarding these MFA prompts.", "references": ["https://www.bleepingcomputer.com/news/security/mfa-fatigue-hackers-new-favorite-tactic-in-high-profile-breaches/", "https://www.csoonline.com/article/3674156/multi-factor-authentication-fatigue-attacks-are-on-the-rise-how-to-defend-against-them.html"], "tags": {"name": "Okta MFA Exhaustion", "analytic_story": "Okta MFA Exhaustion", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Authentication", "Risk"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Okta Account Locked Out - Rule", "ESCU - Okta MFA Exhaustion Hunt - Rule", "ESCU - Okta Mismatch Between Source and Response for Verify Push Request - Rule", "ESCU - Okta Risk Threshold Exceeded - Rule", "ESCU - Okta Two or More Rejected Okta Pushes - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Okta Account Locked Out", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}]}}, {"name": "Okta MFA Exhaustion Hunt", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}]}}, {"name": "Okta Mismatch Between Source and Response for Verify Push Request", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}}, {"name": "Okta Risk Threshold Exceeded", "source": "application", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Okta Two or More Rejected Okta Pushes", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}]}}]}, {"name": "OpenSSL CVE-2022-3602", "author": "Michael Haag, splunk", "date": "2022-11-02", "version": 1, "id": "491e00c9-998b-4c64-91bb-d8f9c79c1f4c", "description": "OpenSSL recently disclosed two vulnerabilities CVE-2022-3602 and CVE-2022-3786. CVE-2022-3602 is a X.509 Email Address 4-byte Buffer Overflow where puny code is utilized. This only affects OpenSSL 3.0.0 - 3.0.6.", "narrative": "A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the . character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. Users of OpenSSL 3.0.0 - 3.0.6 are encouraged to upgrade to 3.0.7 as soon as possible. If you obtain your copy of OpenSSL from your Operating System vendor or other third party then you should seek to obtain an updated version from them as soon as possible. SSL Certificates with Punycode will identify SSL certificates with Punycode. Note that it does not mean it will capture malicious payloads. If using Zeek, modify the Zeek x509 certificate with punycode to match your environment. We found during this exercise that the FULL x509 with SAN must be captured and stored, decoded, in order to query against it.", "references": ["https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/", "https://github.com/advisories/GHSA-h8jm-2x53-xhp5", "https://community.emergingthreats.net/t/out-of-band-ruleset-update-summary-2022-11-01/117", "https://github.com/corelight/CVE-2022-3602/tree/master/scripts"], "tags": {"name": "OpenSSL CVE-2022-3602", "analytic_story": "OpenSSL CVE-2022-3602", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1573", "mitre_attack_technique": "Encrypted Channel", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT29", "BITTER", "Magic Hound", "Tropic Trooper"]}], "mitre_attack_tactics": ["Command And Control"], "datamodels": [], "kill_chain_phases": ["Command And Control"]}, "detection_names": ["ESCU - SSL Certificates with Punycode - Rule", "ESCU - Zeek x509 Certificate with Punycode - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "splunk", "author_name": "Michael Haag", "detections": [{"name": "SSL Certificates with Punycode", "source": "network", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Encrypted Channel"}]}}, {"name": "Zeek x509 Certificate with Punycode", "source": "network", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Encrypted Channel"}]}}]}, {"name": "Orangeworm Attack Group", "author": "David Dorsey, Splunk", "date": "2020-01-22", "version": 2, "id": "bb9f5ed2-916e-4364-bb6d-97c370efcf52", "description": "Detect activities and various techniques associated with the Orangeworm Attack Group, a group that frequently targets the healthcare industry.", "narrative": "In May of 2018, the attack group Orangeworm was implicated for installing a custom backdoor called Trojan.Kwampirs within large international healthcare corporations in the United States, Europe, and Asia. This malware provides the attackers with remote access to the target system, decrypting and extracting a copy of its main DLL payload from its resource section. Before writing the payload to disk, it inserts a randomly generated string into the middle of the decrypted payload in an attempt to evade hash-based detections.\\\nAwareness of the Orangeworm group first surfaced in January, 2015. It has conducted targeted attacks against related industries, as well, such as pharmaceuticals and healthcare IT solution providers.\\\nHealthcare may be a promising target, because it is notoriously behind in technology, often using older operating systems and neglecting to patch computers. Even so, the group was able to evade detection for a full three years. Sources say that the malware spread quickly within the target networks, infecting computers used to control medical devices, such as MRI and X-ray machines.\\\nThis Analytic Story is designed to help you detect and investigate suspicious activities that may be indicative of an Orangeworm attack. One detection search looks for command-line arguments. Another monitors for uses of sc.exe, a non-essential Windows file that can manipulate Windows services. One of the investigative searches helps you get more information on web hosts that you suspect have been compromised.", "references": ["https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia", "https://www.infosecurity-magazine.com/news/healthcare-targeted-by-hacker/"], "tags": {"name": "Orangeworm Attack Group", "analytic_story": "Orangeworm Attack Group", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - First time seen command line argument - Rule", "ESCU - First Time Seen Running Windows Service - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule"], "investigation_names": ["ESCU - Get History Of Email Sources - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": ["ESCU - Previously seen command line arguments", "ESCU - Previously Seen Running Windows Services - Initial", "ESCU - Previously Seen Running Windows Services - Update"], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "First time seen command line argument", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Windows Command Shell"}]}}, {"name": "First Time Seen Running Windows Service", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}]}, {"name": "PaperCut MF NG Vulnerability", "author": "Michael Haag, Splunk", "date": "2023-05-15", "version": 1, "id": "2493d270-5665-4fb4-99c7-8f886f260676", "description": "The FBI has issued a joint advisory concerning the exploitation of a PaperCut MF/NG vulnerability (CVE-2023-27350) by malicious actors, which began in mid-April 2023 and has been ongoing. In early May 2023, a group identifying themselves as the Bl00dy Ransomware Gang targeted vulnerable PaperCut servers within the Education Facilities Subsector. The advisory provides information on detecting exploitation attempts and shares known indicators of compromise (IOCs) associated with the group's activities.", "narrative": "PaperCut MF/NG versions 19 and older have reached their end-of-life, as documented on the End of Life Policy page. Customers using these older versions are advised to purchase an updated license online for PaperCut NG or through their PaperCut Partner for PaperCut MF. For users with a currently supported version (version 20 or later), they can upgrade to any maintenance release version they are licensed for.\\ If upgrading to a security patch is not possible, there are alternative options to enhance security. Users can lock down network access to their server(s) by blocking all inbound traffic from external IPs to the web management port (port 9191 and 9192 by default) and blocking all inbound traffic to the web management portal on the firewall to the server. Additionally, users can apply \"Allow list\" restrictions under Options > Advanced > Security > Allowed site server IP addresses, setting this to only allow the IP addresses of verified Site Servers on their network.\\\nThe vulnerabilities CVE-2023-27350 and CVE-2023-27351 have CVSS scores of 9.8 (Critical) and 8.2 (High), respectively. PaperCut and its partner network have activated response teams to assist PaperCut MF and NG customers, with service desks available 24/7 via their support page. The security response team at PaperCut has been working with external security advisors to compile a list of unpatched PaperCut MF/NG servers that have ports open on the public internet. They have been proactively reaching out to potentially exposed customers since Wednesday afternoon (AEST) and are working around the clock through the weekend.\\\nThe exploit was first detected in the wild on April 18th, 2023, at 03:30 AEST / April 17th, 2023, at 17:30 UTC. The earliest signature of suspicious activity on a customer server potentially linked to this vulnerability dates back to April 14th, 2023, at 01:29 AEST / April 13th, 2023, at 15:29 UTC.\\\nApplying the security fixes should not have any negative impact. Users can follow their usual upgrade procedure to obtain the upgrade. Additional links on the -Check for updates- page (accessed through the Admin interface > About > Version info > Check for updates) allow customers to download fixes for previous major versions that are still supported (e.g., 20.1.7 and 21.2.11) as well as the current version available. PaperCut MF users are advised to follow their regular upgrade process and consult their PaperCut partner or reseller for assistance.", "references": ["https://www.cisa.gov/news-events/alerts/2023/05/11/cisa-and-fbi-release-joint-advisory-response-active-exploitation-papercut-vulnerability", "https://www.papercut.com/kb/Main/PO-1216-and-PO-1219", "https://www.horizon3.ai/papercut-cve-2023-27350-deep-dive-and-indicators-of-compromise/", "https://www.bleepingcomputer.com/news/security/hackers-actively-exploit-critical-rce-bug-in-papercut-servers/", "https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software"], "tags": {"name": "PaperCut MF NG Vulnerability", "analytic_story": "PaperCut MF NG Vulnerability", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}], "mitre_attack_tactics": ["Execution", "Initial Access", "Persistence"], "datamodels": ["Endpoint", "Web"], "kill_chain_phases": ["Delivery", "Installation"]}, "detection_names": ["ESCU - PaperCut NG Suspicious Behavior Debug Log - Rule", "ESCU - Windows PaperCut NG Spawn Shell - Rule", "ESCU - PaperCut NG Remote Web Access Attempt - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "PaperCut NG Suspicious Behavior Debug Log", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Windows PaperCut NG Spawn Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "PaperCut NG Remote Web Access Attempt", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}]}, {"name": "PetitPotam NTLM Relay on Active Directory Certificate Services", "author": "Michael Haag, Mauricio Velazco, Splunk", "date": "2021-08-31", "version": 1, "id": "97aecafc-0a68-11ec-962f-acde48001122", "description": "PetitPotam (CVE-2021-36942,) is a vulnerablity identified in Microsofts EFSRPC Protocol that can allow an unauthenticated account to escalate privileges to domain administrator given the right circumstances.", "narrative": "In June 2021, security researchers at SpecterOps released a blog post and white paper detailing several potential attack vectors against Active Directory Certificated Services (ADCS). ADCS is a Microsoft product that implements Public Key Infrastrucutre (PKI) functionality and can be used by organizations to provide and manage digital certiticates within Active Directory.\\ In July 2021, a security researcher released PetitPotam, a tool that allows attackers to coerce Windows systems into authenticating to arbitrary endpoints.\\ Combining PetitPotam with the identified ADCS attack vectors allows attackers to escalate privileges from an unauthenticated anonymous user to full domain admin privileges.", "references": ["https://us-cert.cisa.gov/ncas/current-activity/2021/07/27/microsoft-releases-guidance-mitigating-petitpotam-ntlm-relay", "https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429", "https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf", "https://github.com/topotam/PetitPotam/", "https://github.com/gentilkiwi/mimikatz/releases/tag/2.2.0-20210723", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942", "https://attack.mitre.org/techniques/T1187/"], "tags": {"name": "PetitPotam NTLM Relay on Active Directory Certificate Services", "analytic_story": "PetitPotam NTLM Relay on Active Directory Certificate Services", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1187", "mitre_attack_technique": "Forced Authentication", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["DarkHydrus", "Dragonfly"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}], "mitre_attack_tactics": ["Credential Access"], "datamodels": [], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - PetitPotam Network Share Access Request - Rule", "ESCU - PetitPotam Suspicious Kerberos TGT Request - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Mauricio Velazco, Splunk", "author_name": "Michael Haag", "detections": [{"name": "PetitPotam Network Share Access Request", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Forced Authentication"}]}}, {"name": "PetitPotam Suspicious Kerberos TGT Request", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "OS Credential Dumping"}]}}]}, {"name": "PlugX", "author": "Teoderick Contreras, Splunk", "date": "2023-10-12", "version": 2, "id": "a2c94c99-b93b-4bc7-a749-e2198743d0d6", "description": "PlugX, also referred to as \"PlugX RAT\" or \"Kaba,\" is a highly sophisticated remote access Trojan (RAT) discovered in 2012. This malware is notorious for its involvement in targeted cyberattacks, primarily driven by cyber espionage objectives. PlugX provides attackers with comprehensive remote control capabilities over compromised systems, granting them the ability to execute commands, collect sensitive data, and manipulate the infected host.", "narrative": "PlugX, known as the \"silent infiltrator of the digital realm, is a shadowy figure in the world of cyber threats. This remote access Trojan (RAT), first unveiled in 2012, is not your run-of-the-mill malware. It's the go-to tool for sophisticated hackers with one goal in mind, espionage. PlugX's repertoire of capabilities reads like a spy thriller. It doesn't just breach your defenses; it goes a step further, slipping quietly into your systems, much like a ghost. Once inside, it opens the door to a world of possibilities for cybercriminals. With a few keystrokes, they can access your data, capture your screen, and silently watch your every move. In the hands of skilled hackers, it's a versatile instrument for cyber espionage. This malware thrives on persistence. It's not a one-time hit; it's in it for the long haul. Even if you reboot your system, PlugX remains, ensuring that its grip on your infrastructure doesn't waver.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.plugx", "https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/carderbee-software-supply-chain-certificate-abuse", "https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf", "https://www.mandiant.com/resources/blog/infected-usb-steal-secrets", "https://attack.mitre.org/software/S0013/"], "tags": {"name": "PlugX", "analytic_story": "PlugX", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1134.002", "mitre_attack_technique": "Create Process with Token", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Lazarus Group", "Turla"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1091", "mitre_attack_technique": "Replication Through Removable Media", "mitre_attack_tactics": ["Initial Access", "Lateral Movement"], "mitre_attack_groups": ["APT28", "Aoqin Dragon", "Darkhotel", "FIN7", "LuminousMoth", "Mustang Panda", "Tropic Trooper"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}], "mitre_attack_tactics": ["Defense Evasion", "Discovery", "Execution", "Impact", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Firewall Allowed Program Enable - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Office Application Drop Executable - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Document Spawned Child Process To Download - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious writes to windows Recycle Bin - Rule", "ESCU - Windows Access Token Manipulation SeDebugPrivilege - Rule", "ESCU - Windows Masquerading Msdtc Process - Rule", "ESCU - Windows Replication Through Removable Media - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - Windows Service Deletion In Registry - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Allow Inbound Traffic By Firewall Rule Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Firewall Allowed Program Enable", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Office Application Drop Executable", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Document Spawned Child Process To Download", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious writes to windows Recycle Bin", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Windows Access Token Manipulation SeDebugPrivilege", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create Process with Token"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}, {"name": "Windows Masquerading Msdtc Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Windows Replication Through Removable Media", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Replication Through Removable Media"}]}}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}]}}, {"name": "Windows Service Deletion In Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}]}, {"name": "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "author": "iDefense Cyber Espionage Team, iDefense", "date": "2020-01-22", "version": 1, "id": "988c59c5-0a1c-45b6-a555-0c62276e327e", "description": "Monitor your environment for suspicious behaviors that resemble the techniques employed by the MUDCARP threat group.", "narrative": "This story was created as a joint effort between iDefense and Splunk.\\\niDefense analysts have recently discovered a Windows executable file that, upon execution, spoofs a decryption tool and then drops a file that appears to be the custom-built javascript backdoor, \"Orz,\" which is associated with the threat actors known as MUDCARP (as well as \"temp.Periscope\" and \"Leviathan\"). The file is executed using Wscript.\\\nThe MUDCARP techniques include the use of the compressed-folders module from Microsoft, zipfldr.dll, with RouteTheCall export to run the malicious process or command. After a successful reboot, the malware is made persistent by a manipulating `[HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run]'help'='c:\\\\windows\\\\system32\\\\rundll32.exe c:\\\\windows\\\\system32\\\\zipfldr.dll,RouteTheCall c:\\\\programdata\\\\winapp.exe'`. Though this technique is not exclusive to MUDCARP, it has been spotted in the group's arsenal of advanced techniques seen in the wild.\\\nThis Analytic Story searches for evidence of tactics, techniques, and procedures (TTPs) that allow for the use of a endpoint detection-and-response (EDR) bypass technique to mask the true parent of a malicious process. It can also be set as a registry key for further sandbox evasion and to allow the malware to launch only after reboot.\\\nIf behavioral searches included in this story yield positive hits, iDefense recommends conducting IOC searches for the following:\\\n\\\n1. www.chemscalere[.]com\\\n1. chemscalere[.]com\\\n1. about.chemscalere[.]com\\\n1. autoconfig.chemscalere[.]com\\\n1. autodiscover.chemscalere[.]com\\\n1. catalog.chemscalere[.]com\\\n1. cpanel.chemscalere[.]com\\\n1. db.chemscalere[.]com\\\n1. ftp.chemscalere[.]com\\\n1. mail.chemscalere[.]com\\\n1. news.chemscalere[.]com\\\n1. update.chemscalere[.]com\\\n1. webmail.chemscalere[.]com\\\n1. www.candlelightparty[.]org\\\n1. candlelightparty[.]org\\\n1. newapp.freshasianews[.]comIn addition, iDefense also recommends that organizations review their environments for activity related to the following hashes:\\\n\\\n1. cd195ee448a3657b5c2c2d13e9c7a2e2\\\n1. b43ad826fe6928245d3c02b648296b43\\\n1. 889a9b52566448231f112a5ce9b5dfaf\\\n1. b8ec65dab97cdef3cd256cc4753f0c54\\\n1. 04d83cd3813698de28cfbba326d7647c", "references": ["https://www.infosecurity-magazine.com/news/scope-of-mudcarp-attacks-highlight-1/", "http://blog.amossys.fr/badflick-is-not-so-bad.html"], "tags": {"name": "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "analytic_story": "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - First time seen command line argument - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Unusually Long Command Line - Rule", "ESCU - Unusually Long Command Line - MLTK - Rule"], "investigation_names": ["ESCU - Get History Of Email Sources - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": ["ESCU - Baseline of Command Line Length - MLTK", "ESCU - Previously seen command line arguments"], "author_company": "iDefense", "author_name": "iDefense Cyber Espionage Team", "detections": [{"name": "First time seen command line argument", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Windows Command Shell"}]}}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Unusually Long Command Line", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Unusually Long Command Line - MLTK", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "PrintNightmare CVE-2021-34527", "author": "Splunk Threat Research Team", "date": "2021-07-01", "version": 1, "id": "fd79470a-da88-11eb-b803-acde48001122", "description": "The following analytic story identifies behaviors related PrintNightmare, or CVE-2021-34527 previously known as (CVE-2021-1675), to gain privilege escalation on the vulnerable machine.", "narrative": "This vulnerability affects the Print Spooler service, enabled by default on Windows systems, and allows adversaries to trick this service into installing a remotely hosted print driver using a low privileged user account. Successful exploitation effectively allows adversaries to execute code in the target system (Remote Code Execution) in the context of the Print Spooler service which runs with the highest privileges (Privilege Escalation). \\\nThe prerequisites for successful exploitation consist of: \\\n1. Print Spooler service enabled on the target system \\\n1. Network connectivity to the target system (initial access has been obtained) \\\n1. Hash or password for a low privileged user ( or computer ) account. \\\nIn the most impactful scenario, an attacker would be able to leverage this vulnerability to obtain a SYSTEM shell on a domain controller and so escalate their privileges from a low privileged domain account to full domain access in the target environment as shown below.", "references": ["https://github.com/cube0x0/CVE-2021-1675/", "https://blog.truesec.com/2021/06/30/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available/", "https://blog.truesec.com/2021/06/30/exploitable-critical-rce-vulnerability-allows-regular-users-to-fully-compromise-active-directory-printnightmare-cve-2021-1675/", "https://www.reddit.com/r/msp/comments/ob6y02/critical_vulnerability_printnightmare_exposes"], "tags": {"name": "PrintNightmare CVE-2021-34527", "analytic_story": "PrintNightmare CVE-2021-34527", "category": ["Vulnerability"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.012", "mitre_attack_technique": "Print Processors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Print Spooler Adding A Printer Driver - Rule", "ESCU - Print Spooler Failed to Load a Plug-in - Rule", "ESCU - Rundll32 with no Command Line Arguments with Network - Rule", "ESCU - Spoolsv Spawning Rundll32 - Rule", "ESCU - Spoolsv Suspicious Loaded Modules - Rule", "ESCU - Spoolsv Suspicious Process Access - Rule", "ESCU - Spoolsv Writing a DLL - Rule", "ESCU - Spoolsv Writing a DLL - Sysmon - Rule", "ESCU - Suspicious Rundll32 no Command Line Arguments - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "no", "author_name": "Splunk Threat Research Team", "detections": [{"name": "Print Spooler Adding A Printer Driver", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Print Spooler Failed to Load a Plug-in", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Rundll32 with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Spoolsv Spawning Rundll32", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Spoolsv Suspicious Loaded Modules", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Spoolsv Suspicious Process Access", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "Spoolsv Writing a DLL", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Spoolsv Writing a DLL - Sysmon", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Suspicious Rundll32 no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}]}, {"name": "Prohibited Traffic Allowed or Protocol Mismatch", "author": "Rico Valdez, Splunk", "date": "2017-09-11", "version": 1, "id": "6d13121c-90f3-446d-8ac3-27efbbc65218", "description": "Detect instances of prohibited network traffic allowed in the environment, as well as protocols running on non-standard ports. Both of these types of behaviors typically violate policy and can be leveraged by attackers.", "narrative": "A traditional security best practice is to control the ports, protocols, and services allowed within your environment. By limiting the services and protocols to those explicitly approved by policy, administrators can minimize the attack surface. The combined effect allows both network defenders and security controls to focus and not be mired in superfluous traffic or data types. Looking for deviations to policy can identify attacker activity that abuses services and protocols to run on alternate or non-standard ports in the attempt to avoid detection or frustrate forensic analysts.", "references": ["http://www.novetta.com/2015/02/advanced-methods-to-detect-advanced-cyber-attacks-protocol-abuse/"], "tags": {"name": "Prohibited Traffic Allowed or Protocol Mismatch", "analytic_story": "Prohibited Traffic Allowed or Protocol Mismatch", "category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "MoustachedBouncer", "POLONIUM", "Sandworm Team", "Turla", "Volt Typhoon", "Windigo"]}, {"mitre_attack_id": "T1090.003", "mitre_attack_technique": "Multi-hop Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT28", "APT29", "FIN4", "Inception", "Leviathan"]}], "mitre_attack_tactics": ["Command And Control", "Exfiltration", "Initial Access", "Lateral Movement"], "datamodels": ["Endpoint", "Network_Resolution", "Network_Traffic"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery", "Exploitation"]}, "detection_names": ["ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule", "ESCU - Allow Inbound Traffic In Firewall Rule - Rule", "ESCU - Enable RDP In Other Port Number - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule", "ESCU - Prohibited Network Traffic Allowed - Rule", "ESCU - Protocol or Port Mismatch - Rule", "ESCU - TOR Traffic - Rule"], "investigation_names": ["ESCU - Get DNS Server History for a host - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Process Information For Port Activity - Response Task"], "baseline_names": ["ESCU - Count of Unique IPs Connecting to Ports"], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Allow Inbound Traffic By Firewall Rule Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "Allow Inbound Traffic In Firewall Rule", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "Enable RDP In Other Port Number", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}]}}, {"name": "Detect hosts connecting to dynamic domain providers", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}, {"name": "Prohibited Network Traffic Allowed", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Protocol or Port Mismatch", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "TOR Traffic", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Multi-hop Proxy"}]}}]}, {"name": "ProxyNotShell", "author": "Michael Haag, Splunk", "date": "2022-09-30", "version": 1, "id": "4e3f17e7-9ed7-425d-a05e-b65464945836", "description": "Two new zero day Microsoft Exchange vulnerabilities have been identified actively exploited in the wild - CVE-2022-41040 and CVE-2022-41082.", "narrative": "Microsoft is investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, 2016, and 2019. The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker. Originally identified by GTSC monitoring Exchange, some adversary post-exploitation activity was identified and is tagged to this story.", "references": ["https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/", "https://twitter.com/GossiTheDog/status/1575762721353916417?s=20&t=67gq9xCWuyPm1VEm8ydfyA", "https://twitter.com/cglyer/status/1575793769814728705?s=20&t=67gq9xCWuyPm1VEm8ydfyA", "https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html", "https://research.splunk.com/stories/proxyshell/", "https://www.inversecos.com/2022/07/hunting-for-apt-abuse-of-exchange.html"], "tags": {"name": "ProxyNotShell", "analytic_story": "ProxyNotShell", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Command And Control", "Execution", "Initial Access", "Persistence"], "datamodels": ["Endpoint", "Risk", "Web"], "kill_chain_phases": ["Command And Control", "Delivery", "Installation"]}, "detection_names": ["ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Detect Exchange Web Shell - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Exchange PowerShell Abuse via SSRF - Rule", "ESCU - Exchange PowerShell Module Usage - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows MSExchange Management Mailbox Cmdlet Usage - Rule", "ESCU - ProxyShell ProxyNotShell Behavior Detected - Rule", "ESCU - Windows Exchange Autodiscover SSRF Abuse - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Detect Exchange Web Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}, {"name": "Exchange PowerShell Abuse via SSRF", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Exchange PowerShell Module Usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}, {"name": "Windows MSExchange Management Mailbox Cmdlet Usage", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "ProxyShell ProxyNotShell Behavior Detected", "source": "web", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Windows Exchange Autodiscover SSRF Abuse", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}]}, {"name": "ProxyShell", "author": "Michael Haag, Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2021-08-24", "version": 1, "id": "413bb68e-04e2-11ec-a835-acde48001122", "description": "ProxyShell is a chain of exploits targeting on-premise Microsoft Exchange Server - CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207.", "narrative": "During Pwn2Own April 2021, a security researcher demonstrated an attack  chain targeting on-premise Microsoft Exchange Server. August 5th, the same researcher  publicly released further details and demonstrated the attack chain. CVE-2021-34473  Pre-auth path confusion leads to ACL Bypass (Patched in April by KB5001779)  CVE-2021-34523 - Elevation of privilege on Exchange PowerShell backend (Patched in April by KB5001779) . CVE-2021-31207 - Post-auth Arbitrary-File-Write  leads to RCE (Patched in May by KB5003435) Upon successful exploitation,  the remote attacker will have SYSTEM privileges on the Exchange Server. In addition    to remote access/execution, the adversary may be able to run Exchange PowerShell  Cmdlets to perform further actions.", "references": ["https://y4y.space/2021/08/12/my-steps-of-reproducing-proxyshell/", "https://www.zerodayinitiative.com/blog/2021/8/17/from-pwn2own-2021-a-new-attack-surface-on-microsoft-exchange-proxyshell", "https://www.youtube.com/watch?v=FC6iHw258RI", "https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit#what-should-you-do", "https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-ProxyLogon-Is-Just-The-Tip-Of-The-Iceberg-A-New-Attack-Surface-On-Microsoft-Exchange-Server.pdf", "https://www.inversecos.com/2022/07/hunting-for-apt-abuse-of-exchange.html"], "tags": {"name": "ProxyShell", "analytic_story": "ProxyShell", "category": ["Adversary Tactics", "Ransomware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Execution", "Initial Access", "Persistence"], "datamodels": ["Endpoint", "Risk", "Web"], "kill_chain_phases": ["Delivery", "Installation"]}, "detection_names": ["ESCU - Detect Exchange Web Shell - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Exchange PowerShell Abuse via SSRF - Rule", "ESCU - Exchange PowerShell Module Usage - Rule", "ESCU - MS Exchange Mailbox Replication service writing Active Server Pages - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows MSExchange Management Mailbox Cmdlet Usage - Rule", "ESCU - ProxyShell ProxyNotShell Behavior Detected - Rule", "ESCU - Windows Exchange Autodiscover SSRF Abuse - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Teoderick Contreras, Mauricio Velazco, Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Exchange Web Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}, {"name": "Exchange PowerShell Abuse via SSRF", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Exchange PowerShell Module Usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "MS Exchange Mailbox Replication service writing Active Server Pages", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}, {"name": "Windows MSExchange Management Mailbox Cmdlet Usage", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "ProxyShell ProxyNotShell Behavior Detected", "source": "web", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Windows Exchange Autodiscover SSRF Abuse", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}]}, {"name": "Qakbot", "author": "Teoderick Contreras, Splunk", "date": "2022-11-14", "version": 2, "id": "0c6169b1-f126-4d86-8e4f-f7891007ebc6", "description": "QakBot is a modular banking trojan that has been used primarily by financially-motivated actors since at least 2007. QakBot is continuously maintained and developed and has evolved from an information stealer into a delivery agent for ransomware (ref. MITRE ATT&CK).", "narrative": "QakBot notably has made its way on the CISA top malware list for 2021. QakBot for years has been under continious improvement when it comes to initial access, injection and post-exploitation. Multiple adversaries use QakBot to gain initial access and persist, most notably TA551. The actor(s) behind QakBot possess a modular framework consisting of maldoc builders, signed loaders, and DLLs that produce initially low detection rates at the beginning of the attack, which creates opportunities to deliver additional malware such as Egregor and Cobalt Strike. (ref. Cybersecurity ATT) The more recent campaigns utilize HTML smuggling to deliver a ISO container that has a LNK and QakBot payload. QakBot will either load via regsvr32.exe directly, it will attempt to perform DLL sideloading.", "references": ["https://www.cisa.gov/sites/default/files/publications/202010221030_QakBot%20TLPWHITE.pdf", "https://malpedia.caad.fkie.fraunhofer.de/details/win.QakBot", "https://securelist.com/QakBot-technical-analysis/103931/", "https://www.fortinet.com/blog/threat-research/new-variant-of-QakBot-spread-by-phishing-emails", "https://attack.mitre.org/software/S0650/", "https://cybersecurity.att.com/blogs/labs-research/the-rise-of-qakbot"], "tags": {"name": "Qakbot", "analytic_story": "Qakbot", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MoustachedBouncer", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1016.001", "mitre_attack_technique": "Internet Connection Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT29", "FIN13", "FIN8", "Gamaredon Group", "HAFNIUM", "HEXANE", "Magic Hound", "TA2541", "Turla"]}, {"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566.002", "mitre_attack_technique": "Spearphishing Link", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Magic Hound", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1574.001", "mitre_attack_technique": "DLL Search Order Hijacking", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT41", "Aquatic Panda", "BackdoorDiplomacy", "Evilnum", "RTM", "Threat Group-3390", "Tonto Team", "Whitefly", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1055.001", "mitre_attack_technique": "Dynamic-link Library Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["BackdoorDiplomacy", "Lazarus Group", "Leviathan", "Putter Panda", "TA505", "Tropic Trooper", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1055.002", "mitre_attack_technique": "Portable Executable Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Gorgon Group", "Rocke"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Command And Control", "Defense Evasion", "Discovery", "Execution", "Impact", "Initial Access", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Create Remote Thread In Shell Application - Rule", "ESCU - Disable Defender Spynet Reporting - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Network Discovery Using Route Windows App - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Office Application Spawn Regsvr32 process - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Process Creating LNK file in Suspicious Location - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Services LOLBAS Execution Process Spawn - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Regsvr32 Register Suspicious Path - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - System User Discovery With Whoami - Rule", "ESCU - Wermgr Process Spawned CMD Or Powershell Process - Rule", "ESCU - Windows App Layer Protocol Qakbot NamedPipe - Rule", "ESCU - Windows App Layer Protocol Wermgr Connect To NamedPipe - Rule", "ESCU - Windows Command Shell Fetch Env Variables - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows Defender Exclusion Registry Entry - Rule", "ESCU - Windows DLL Search Order Hijacking Hunt with Sysmon - Rule", "ESCU - Windows DLL Side-Loading In Calc - Rule", "ESCU - Windows DLL Side-Loading Process Child Of Calc - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Masquerading Explorer As Child Process - Rule", "ESCU - Windows Modify Registry Qakbot Binary Data Registry - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Windows Process Injection Of Wermgr to Known Browser - Rule", "ESCU - Windows Process Injection Remote Thread - Rule", "ESCU - Windows Process Injection Wermgr Child Process - Rule", "ESCU - Windows Regsvr32 Renamed Binary - Rule", "ESCU - Windows Schtasks Create Run As System - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows System Discovery Using ldap Nslookup - Rule", "ESCU - Windows System Discovery Using Qwinsta - Rule", "ESCU - Windows WMI Impersonate Token - Rule", "ESCU - Windows WMI Process Call Create - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}}, {"name": "Create Remote Thread In Shell Application", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Disable Defender Spynet Reporting", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}}, {"name": "Network Connection Discovery With Arp", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Network Discovery Using Route Windows App", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Internet Connection Discovery"}]}}, {"name": "NLTest Domain Trust Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Trust Discovery"}]}}, {"name": "Office Application Spawn Regsvr32 process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Process Creating LNK file in Suspicious Location", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Link"}]}}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}]}}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Schtasks Run Task On Demand", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Services LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Suspicious Copy on System32", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "Masquerading"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious Regsvr32 Register Suspicious Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "System User Discovery With Whoami", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Owner/User Discovery"}]}}, {"name": "Wermgr Process Spawned CMD Or Powershell Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows App Layer Protocol Qakbot NamedPipe", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Application Layer Protocol"}]}}, {"name": "Windows App Layer Protocol Wermgr Connect To NamedPipe", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Application Layer Protocol"}]}}, {"name": "Windows Command Shell Fetch Env Variables", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "System Network Connections Discovery"}, {"mitre_attack_technique": "System Owner/User Discovery"}, {"mitre_attack_technique": "System Shutdown/Reboot"}, {"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows Defender Exclusion Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows DLL Search Order Hijacking Hunt with Sysmon", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Search Order Hijacking"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Windows DLL Side-Loading In Calc", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Windows DLL Side-Loading Process Child Of Calc", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Malicious Link"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "Windows Masquerading Explorer As Child Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Windows Modify Registry Qakbot Binary Data Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Windows Process Injection Of Wermgr to Known Browser", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Dynamic-link Library Injection"}, {"mitre_attack_technique": "Process Injection"}]}}, {"name": "Windows Process Injection Remote Thread", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Portable Executable Injection"}]}}, {"name": "Windows Process Injection Wermgr Child Process", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Windows Regsvr32 Renamed Binary", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Regsvr32"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Windows Schtasks Create Run As System", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Windows System Discovery Using ldap Nslookup", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Owner/User Discovery"}]}}, {"name": "Windows System Discovery Using Qwinsta", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Owner/User Discovery"}]}}, {"name": "Windows WMI Impersonate Token", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Windows WMI Process Call Create", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}]}, {"name": "Ransomware", "author": "David Dorsey, Splunk", "date": "2020-02-04", "version": 1, "id": "cf309d0d-d4aa-4fbb-963d-1e79febd3756", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to ransomware--spikes in SMB traffic, suspicious wevtutil usage, the presence of common ransomware extensions, and system processes run from unexpected locations, and many others.", "narrative": "Ransomware is an ever-present risk to the enterprise, wherein an infected host encrypts business-critical data, holding it hostage until the victim pays the attacker a ransom. There are many types and varieties of ransomware that can affect an enterprise. Attackers can deploy ransomware to enterprises through spearphishing campaigns and driveby downloads, as well as through traditional remote service-based exploitation. In the case of the WannaCry campaign, there was self-propagating wormable functionality that was used to maximize infection. Fortunately, organizations can apply several techniques--such as those in this Analytic Story--to detect and or mitigate the effects of ransomware.", "references": ["https://web.archive.org/web/20190826231258/https://www.carbonblack.com/2017/06/28/carbon-black-threat-research-technical-analysis-petya-notpetya-ransomware/", "https://www.splunk.com/blog/2017/06/27/closing-the-detection-to-mitigation-gap-or-to-petya-or-notpetya-whocares-.html"], "tags": {"name": "Ransomware", "analytic_story": "Ransomware", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN13", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1562.007", "mitre_attack_technique": "Disable or Modify Cloud Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TEMP.Veles", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.003", "mitre_attack_technique": "CMSTP", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group", "MuddyWater"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1020", "mitre_attack_technique": "Automated Exfiltration", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["Gamaredon Group", "Ke3chang", "Sidewinder", "Tropic Trooper"]}, {"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}, {"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "FIN7", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla", "Volt Typhoon"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "FIN13", "TA505"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1070.001", "mitre_attack_technique": "Clear Windows Event Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "APT38", "APT41", "Chimera", "Dragonfly", "FIN5", "FIN8", "Indrik Spider"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1531", "mitre_attack_technique": "Account Access Removal", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.005", "mitre_attack_technique": "Visual Basic", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT33", "APT37", "APT38", "APT39", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Earth Lusca", "FIN13", "FIN4", "FIN7", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "Transparent Tribe", "Turla", "WIRTE", "Windshift"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1491", "mitre_attack_technique": "Defacement", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1027.005", "mitre_attack_technique": "Indicator Removal from Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT3", "Deep Panda", "GALLIUM", "OilRig", "Patchwork", "TEMP.Veles", "Turla"]}, {"mitre_attack_id": "T1546.015", "mitre_attack_technique": "Component Object Model Hijacking", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1218.007", "mitre_attack_technique": "Msiexec", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Machete", "Molerats", "Rancor", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "TA505"]}, {"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}, {"mitre_attack_id": "T1588.002", "mitre_attack_technique": "Tool", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT19", "APT28", "APT29", "APT32", "APT33", "APT38", "APT39", "APT41", "Aoqin Dragon", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Carbanak", "Chimera", "Cleaver", "Cobalt Group", "CopyKittens", "DarkHydrus", "DarkVishnya", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN5", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "GALLIUM", "Gorgon Group", "HEXANE", "Inception", "IndigoZebra", "Ke3chang", "Kimsuky", "LAPSUS$", "Lazarus Group", "Leafminer", "LuminousMoth", "Magic Hound", "Metador", "Moses Staff", "MuddyWater", "POLONIUM", "Patchwork", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "TA2541", "TA505", "TEMP.Veles", "Threat Group-3390", "Thrip", "Turla", "Volt Typhoon", "WIRTE", "Whitefly", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1219", "mitre_attack_technique": "Remote Access Software", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Carbanak", "Cobalt Group", "DarkVishnya", "Evilnum", "FIN7", "GOLD SOUTHFIELD", "Kimsuky", "MuddyWater", "Mustang Panda", "RTM", "Sandworm Team", "TeamTNT", "Thrip"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "MoustachedBouncer", "POLONIUM", "Sandworm Team", "Turla", "Volt Typhoon", "Windigo"]}, {"mitre_attack_id": "T1090.003", "mitre_attack_technique": "Multi-hop Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT28", "APT29", "FIN4", "Inception", "Leviathan"]}], "mitre_attack_tactics": ["Collection", "Command And Control", "Defense Evasion", "Discovery", "Execution", "Exfiltration", "Impact", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation", "Reconnaissance", "Resource Development"], "datamodels": ["Change", "Endpoint", "Network_Traffic"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery", "Exploitation", "Installation", "Reconnaissance", "Weaponization"]}, "detection_names": ["ESCU - Scheduled tasks used in BadRabbit ransomware - Rule", "ESCU - 7zip CommandLine To SMB Share Path - Rule", "ESCU - Allow File And Printing Sharing In Firewall - Rule", "ESCU - Allow Network Discovery In Firewall - Rule", "ESCU - Allow Operation with Consent Admin - Rule", "ESCU - BCDEdit Failure Recovery Modification - Rule", "ESCU - Clear Unallocated Sector Using Cipher App - Rule", "ESCU - CMLUA Or CMSTPLUA UAC Bypass - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Conti Common Exec parameter - Rule", "ESCU - Delete ShadowCopy With PowerShell - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Detect RClone Command-Line Usage - Rule", "ESCU - Detect Renamed RClone - Rule", "ESCU - Detect SharpHound Command-Line Arguments - Rule", "ESCU - Detect SharpHound File Modifications - Rule", "ESCU - Detect SharpHound Usage - Rule", "ESCU - Disable AMSI Through Registry - Rule", "ESCU - Disable ETW Through Registry - Rule", "ESCU - Disable Logs Using WevtUtil - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Excessive Service Stop Attempt - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Excessive Usage Of SC Service Utility - Rule", "ESCU - Execute Javascript With Jscript COM CLSID - Rule", "ESCU - Fsutil Zeroing File - Rule", "ESCU - ICACLS Grant Command - Rule", "ESCU - Known Services Killed by Ransomware - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - MS Exchange Mailbox Replication service writing Active Server Pages - Rule", "ESCU - Msmpeng Application DLL Side Loading - Rule", "ESCU - Permission Modification using Takeown App - Rule", "ESCU - Powershell Disable Security Monitoring - Rule", "ESCU - Powershell Enable SMB1Protocol Feature - Rule", "ESCU - Powershell Execute COM Object - Rule", "ESCU - Prevent Automatic Repair Mode using Bcdedit - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Recursive Delete of Directory In Batch CMD - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Remote Process Instantiation via WMI - Rule", "ESCU - Revil Common Exec Parameter - Rule", "ESCU - Revil Registry Entry - Rule", "ESCU - Rundll32 LockWorkStation - Rule", "ESCU - Schtasks used for forcing a reboot - Rule", "ESCU - Spike in File Writes - Rule", "ESCU - Suspicious Event Log Service Behavior - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Suspicious wevtutil Usage - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - UAC Bypass With Colorui COM Object - Rule", "ESCU - Uninstall App Using MsiExec - Rule", "ESCU - Unusually Long Command Line - Rule", "ESCU - Unusually Long Command Line - MLTK - Rule", "ESCU - USN Journal Deletion - Rule", "ESCU - WBAdmin Delete System Backups - Rule", "ESCU - Wbemprox COM Object Execution - Rule", "ESCU - Windows Disable Change Password Through Registry - Rule", "ESCU - Windows Disable Lock Workstation Feature Through Registry - Rule", "ESCU - Windows Disable LogOff Button Through Registry - Rule", "ESCU - Windows Disable Memory Crash Dump - Rule", "ESCU - Windows Disable Shutdown Button Through Registry - Rule", "ESCU - Windows Disable Windows Group Policy Features Through Registry - Rule", "ESCU - Windows DiskCryptor Usage - Rule", "ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows Event Log Cleared - Rule", "ESCU - Windows Hide Notification Features Through Registry - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows NirSoft AdvancedRun - Rule", "ESCU - Windows Raccine Scheduled Task Deletion - Rule", "ESCU - Windows Registry Modification for Safe Mode Persistence - Rule", "ESCU - Windows Remote Access Software Hunt - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - Prohibited Network Traffic Allowed - Rule", "ESCU - SMB Traffic Spike - Rule", "ESCU - SMB Traffic Spike - MLTK - Rule", "ESCU - TOR Traffic - Rule"], "investigation_names": ["ESCU - Get Backup Logs For Endpoint - Response Task", "ESCU - Get History Of Email Sources - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Process Information For Port Activity - Response Task", "ESCU - Get Sysmon WMI Activity for Host - Response Task"], "baseline_names": ["ESCU - Baseline of Command Line Length - MLTK", "ESCU - Baseline of SMB Traffic - MLTK", "ESCU - Count of Unique IPs Connecting to Ports"], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Scheduled tasks used in BadRabbit ransomware", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "7zip CommandLine To SMB Share Path", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}}, {"name": "Allow File And Printing Sharing In Firewall", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Allow Network Discovery In Firewall", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Allow Operation with Consent Admin", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "BCDEdit Failure Recovery Modification", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Clear Unallocated Sector Using Cipher App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "CMLUA Or CMSTPLUA UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "CMSTP"}]}}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Conti Common Exec parameter", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "User Execution"}]}}, {"name": "Delete ShadowCopy With PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Detect RClone Command-Line Usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Automated Exfiltration"}]}}, {"name": "Detect Renamed RClone", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Automated Exfiltration"}]}}, {"name": "Detect SharpHound Command-Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Local Groups"}, {"mitre_attack_technique": "Domain Trust Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Groups"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}}, {"name": "Detect SharpHound File Modifications", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Local Groups"}, {"mitre_attack_technique": "Domain Trust Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Groups"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}}, {"name": "Detect SharpHound Usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Local Groups"}, {"mitre_attack_technique": "Domain Trust Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Groups"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}}, {"name": "Disable AMSI Through Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable ETW Through Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Logs Using WevtUtil", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Excessive Service Stop Attempt", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Access Removal"}]}}, {"name": "Excessive Usage Of SC Service Utility", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Execute Javascript With Jscript COM CLSID", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Visual Basic"}]}}, {"name": "Fsutil Zeroing File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "ICACLS Grant Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "Known Services Killed by Ransomware", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Defacement"}]}}, {"name": "MS Exchange Mailbox Replication service writing Active Server Pages", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Msmpeng Application DLL Side Loading", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Permission Modification using Takeown App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "Powershell Disable Security Monitoring", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Powershell Enable SMB1Protocol Feature", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "Indicator Removal from Tools"}]}}, {"name": "Powershell Execute COM Object", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Component Object Model Hijacking"}, {"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Prevent Automatic Repair Mode using Bcdedit", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}]}}, {"name": "Recursive Delete of Directory In Batch CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Remote Process Instantiation via WMI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Revil Common Exec Parameter", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "User Execution"}]}}, {"name": "Revil Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Rundll32 LockWorkStation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Schtasks used for forcing a reboot", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Spike in File Writes", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Suspicious Event Log Service Behavior", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Suspicious wevtutil Usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Clear Windows Event Logs"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "UAC Bypass With Colorui COM Object", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "CMSTP"}]}}, {"name": "Uninstall App Using MsiExec", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Msiexec"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Unusually Long Command Line", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Unusually Long Command Line - MLTK", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "USN Journal Deletion", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "WBAdmin Delete System Backups", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Wbemprox COM Object Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "CMSTP"}]}}, {"name": "Windows Disable Change Password Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Disable Lock Workstation Feature Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Disable LogOff Button Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Disable Memory Crash Dump", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Windows Disable Shutdown Button Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Disable Windows Group Policy Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows DiskCryptor Usage", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}}, {"name": "Windows DotNet Binary in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}}, {"name": "Windows Event Log Cleared", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}}, {"name": "Windows Hide Notification Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}}, {"name": "Windows NirSoft AdvancedRun", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Tool"}]}}, {"name": "Windows Raccine Scheduled Task Deletion", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}]}}, {"name": "Windows Registry Modification for Safe Mode Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Windows Remote Access Software Hunt", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Access Software"}]}}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Prohibited Network Traffic Allowed", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "SMB Traffic Spike", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "SMB Traffic Spike - MLTK", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "TOR Traffic", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Multi-hop Proxy"}]}}]}, {"name": "BlackMatter Ransomware", "author": "Teoderick Contreras, Splunk", "date": "2021-09-06", "version": 1, "id": "0da348a3-78a0-412e-ab27-2de9dd7f9fee", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the BlackMatter ransomware, including looking for file writes associated with BlackMatter, force safe mode boot, autadminlogon account registry modification and more.", "narrative": "BlackMatter ransomware campaigns targeting healthcare and other vertical sectors, involve the use of ransomware payloads along with exfiltration of data per HHS bulletin. Malicious actors demand payment for ransome of data and threaten deletion and exposure of exfiltrated data.", "references": ["https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/", "https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-gang-rises-from-the-ashes-of-darkside-revil/", "https://blog.malwarebytes.com/ransomware/2021/07/blackmatter-a-new-ransomware-group-claims-link-to-darkside-revil/"], "tags": {"name": "BlackMatter Ransomware", "analytic_story": "BlackMatter Ransomware", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1552.002", "mitre_attack_technique": "Credentials in Registry", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT32"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1491", "mitre_attack_technique": "Defacement", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "TA505"]}], "mitre_attack_tactics": ["Credential Access", "Impact"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"]}, "detection_names": ["ESCU - Add DefaultUser And Password In Registry - Rule", "ESCU - Auto Admin Logon Registry Entry - Rule", "ESCU - Bcdedit Command Back To Normal Mode Boot - Rule", "ESCU - Change To Safe Mode With Network Config - Rule", "ESCU - Known Services Killed by Ransomware - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Ransomware Notes bulk creation - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Add DefaultUser And Password In Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials in Registry"}, {"mitre_attack_technique": "Unsecured Credentials"}]}}, {"name": "Auto Admin Logon Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials in Registry"}, {"mitre_attack_technique": "Unsecured Credentials"}]}}, {"name": "Bcdedit Command Back To Normal Mode Boot", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Change To Safe Mode With Network Config", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Known Services Killed by Ransomware", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Defacement"}]}}, {"name": "Ransomware Notes bulk creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}}]}, {"name": "Chaos Ransomware", "author": "Teoderick Contreras, Splunk", "date": "2023-01-11", "version": 1, "id": "153d7b8f-27f2-4e4d-bae8-dfafd93a22a8", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Chaos ransomware, including looking for file writes (file encryption and ransomware notes), deleting shadow volume storage, registry key modification, dropping of files in startup folder, and more.", "narrative": "CHAOS ransomware has been seen and monitored since 2021. This ransomware is purportedly a .NET version of Ryuk ransomware but upon closer look to its code and behavior, this malware sample reveals that it doesn't share much relation to the notorious RYUK ransomware. This ransomware is one of the known ransomware that was used in the ongoing geo-political war. This ransomware is capable to check that only one copy of itself is running on the targeted host, delay of execution as part of its defense evasion technique, persistence through registry and startup folder, drop a copy of itself in each root drive of the targeted host and also in %appdata% folder and many more. As of writing this ransomware is still active and keeps on infecting Windows Operating machines and Windows networks.", "references": ["https://blog.qualys.com/vulnerabilities-threat-research/2022/01/17/the-chaos-ransomware-can-be-ravaging", "https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-in-fake-minecraft-alt-list-brings-destruction", "https://marcoramilli.com/2021/06/14/the-allegedly-ryuk-ransomware-builder-ryukjoke/", "https://www.trendmicro.com/en_us/research/21/h/chaos-ransomware-a-dangerous-proof-of-concept.html"], "tags": {"name": "Chaos Ransomware", "analytic_story": "Chaos Ransomware", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "TA505"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1091", "mitre_attack_technique": "Replication Through Removable Media", "mitre_attack_tactics": ["Initial Access", "Lateral Movement"], "mitre_attack_groups": ["APT28", "Aoqin Dragon", "Darkhotel", "FIN7", "LuminousMoth", "Mustang Panda", "Tropic Trooper"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Impact", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Prevent Automatic Repair Mode using Bcdedit - Rule", "ESCU - Ransomware Notes bulk creation - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - WBAdmin Delete System Backups - Rule", "ESCU - Windows Boot or Logon Autostart Execution In Startup Folder - Rule", "ESCU - Windows Replication Through Removable Media - Rule", "ESCU - Windows User Execution Malicious URL Shortcut File - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Prevent Automatic Repair Mode using Bcdedit", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Ransomware Notes bulk creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "WBAdmin Delete System Backups", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Windows Boot or Logon Autostart Execution In Startup Folder", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Windows Replication Through Removable Media", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Replication Through Removable Media"}]}}, {"name": "Windows User Execution Malicious URL Shortcut File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Malicious File"}, {"mitre_attack_technique": "User Execution"}]}}]}, {"name": "Clop Ransomware", "author": "Rod Soto, Teoderick Contreras, Splunk", "date": "2021-03-17", "version": 1, "id": "5a6f6849-1a26-4fae-aa05-fa730556eeb6", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Clop ransomware, including looking for file writes associated with Clope, encrypting network shares, deleting and resizing shadow volume storage, registry key modification, deleting of security logs, and more.", "narrative": "Clop ransomware campaigns targeting healthcare and other vertical sectors, involve the use of ransomware payloads along with exfiltration of data per HHS bulletin. Malicious actors demand payment for ransome of data and threaten deletion and exposure of exfiltrated data.", "references": ["https://www.hhs.gov/sites/default/files/analyst-note-cl0p-tlp-white.pdf", "https://securityaffairs.co/wordpress/115250/data-breach/qualys-clop-ransomware.html", "https://www.darkreading.com/attacks-breaches/qualys-is-the-latest-victim-of-accellion-data-breach/d/d-id/1340323"], "tags": {"name": "Clop Ransomware", "analytic_story": "Clop Ransomware", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "TA505"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1070.001", "mitre_attack_technique": "Clear Windows Event Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "APT38", "APT41", "Chimera", "Dragonfly", "FIN5", "FIN8", "Indrik Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Impact", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Clop Common Exec Parameter - Rule", "ESCU - Clop Ransomware Known Service Name - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - High Process Termination Frequency - Rule", "ESCU - Process Deleting Its Process File Path - Rule", "ESCU - Ransomware Notes bulk creation - Rule", "ESCU - Resize ShadowStorage volume - Rule", "ESCU - Suspicious Event Log Service Behavior - Rule", "ESCU - Suspicious wevtutil Usage - Rule", "ESCU - Windows Event Log Cleared - Rule", "ESCU - Windows High File Deletion Frequency - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Teoderick Contreras, Splunk", "author_name": "Rod Soto", "detections": [{"name": "Clop Common Exec Parameter", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "User Execution"}]}}, {"name": "Clop Ransomware Known Service Name", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "High Process Termination Frequency", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}}, {"name": "Process Deleting Its Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Ransomware Notes bulk creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}}, {"name": "Resize ShadowStorage volume", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Suspicious Event Log Service Behavior", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}}, {"name": "Suspicious wevtutil Usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Clear Windows Event Logs"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Windows Event Log Cleared", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}}, {"name": "Windows High File Deletion Frequency", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}]}, {"name": "Ransomware Cloud", "author": "Rod Soto, David Dorsey, Splunk", "date": "2020-10-27", "version": 1, "id": "f52f6c43-05f8-4b19-a9d3-5b8c56da91c2", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to ransomware. These searches include cloud related objects that may be targeted by malicious actors via cloud providers own encryption features.", "narrative": "Ransomware is an ever-present risk to the enterprise, wherein an infected host encrypts business-critical data, holding it hostage until the victim pays the attacker a ransom. There are many types and varieties of ransomware that can affect an enterprise.Cloud ransomware can be deployed by obtaining high privilege credentials from targeted users or resources.", "references": ["https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/", "https://github.com/d1vious/git-wild-hunt", "https://www.youtube.com/watch?v=PgzNib37g0M"], "tags": {"name": "Ransomware Cloud", "analytic_story": "Ransomware Cloud", "category": ["Malware"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "TA505"]}], "mitre_attack_tactics": ["Impact"], "datamodels": [], "kill_chain_phases": ["Actions on Objectives"]}, "detection_names": ["ESCU - AWS Detect Users creating keys with encrypt policy without MFA - Rule", "ESCU - AWS Detect Users with KMS keys performing encryption S3 - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": [], "author_company": "David Dorsey, Splunk", "author_name": "Rod Soto", "detections": [{"name": "AWS Detect Users creating keys with encrypt policy without MFA", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}}, {"name": "AWS Detect Users with KMS keys performing encryption S3", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}}]}, {"name": "DarkSide Ransomware", "author": "Bhavin Patel, Splunk", "date": "2021-05-12", "version": 1, "id": "507edc74-13d5-4339-878e-b9114ded1f35", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the DarkSide Ransomware", "narrative": "This story addresses Darkside ransomware. This ransomware payload has many similarities to common ransomware however there are certain items particular to it. The creation of a .TXT log that shows every item being encrypted as well as the creation of ransomware notes and files adding a machine ID created based on CRC32 checksum algorithm. This ransomware payload leaves machines in minimal operation level,enough to browse the attackers websites. A customized URI with leaked information is presented to each victim.This is the ransomware payload that shut down the Colonial pipeline. The story is composed of several detection searches covering similar items to other ransomware payloads and those particular to Darkside payload.", "references": ["https://www.splunk.com/en_us/blog/security/the-darkside-of-the-ransomware-pipeline.htmlbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", "https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations"], "tags": {"name": "DarkSide Ransomware", "analytic_story": "DarkSide Ransomware", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1197", "mitre_attack_technique": "BITS Jobs", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["APT39", "APT41", "Leviathan", "Patchwork", "Wizard Spider"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.003", "mitre_attack_technique": "CMSTP", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group", "MuddyWater"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1020", "mitre_attack_technique": "Automated Exfiltration", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["Gamaredon Group", "Ke3chang", "Sidewinder", "Tropic Trooper"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "TA505"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Defense Evasion", "Execution", "Exfiltration", "Impact", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - BITSAdmin Download File - Rule", "ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - CertUtil Download With VerifyCtl and Split Arguments - Rule", "ESCU - CMLUA Or CMSTPLUA UAC Bypass - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Delete ShadowCopy With PowerShell - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect RClone Command-Line Usage - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Detect Renamed RClone - Rule", "ESCU - Extraction of Registry Hives - Rule", "ESCU - Ransomware Notes bulk creation - Rule", "ESCU - SLUI RunAs Elevated - Rule", "ESCU - SLUI Spawning a Process - Rule", "ESCU - Windows Possible Credential Dumping - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Attempted Credential Dump From Registry via Reg exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "BITSAdmin Download File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "BITS Jobs"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "CertUtil Download With VerifyCtl and Split Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "CMLUA Or CMSTPLUA UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "CMSTP"}]}}, {"name": "Cobalt Strike Named Pipes", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Delete ShadowCopy With PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Detect RClone Command-Line Usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Automated Exfiltration"}]}}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Detect Renamed RClone", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Automated Exfiltration"}]}}, {"name": "Extraction of Registry Hives", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Ransomware Notes bulk creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}}, {"name": "SLUI RunAs Elevated", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "SLUI Spawning a Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Windows Possible Credential Dumping", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}]}, {"name": "LockBit Ransomware", "author": "Teoderick Contreras, Splunk", "date": "2023-01-16", "version": 1, "id": "67e5b98d-16d6-46a6-8d00-070a3d1a5cfc", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the LockBit ransomware, including looking for file writes (file encryption and ransomware notes), deleting services, terminating processes, registry key modification and more.", "narrative": "LockBit ransomware was first seen in 2019. This ransomware was used by cybercriminal in targeting multiple sectors and organizations. Lockbit is one of the ransomware being offered as a Ransomware-as-a-Service(RaaS) and also known to affiliates to implement the 'double extortion' techniques by uploading the stolen and sensitive victim information to their dark website and then threatening to sell/release it in public if their demands are not met. LockBit Ransomware advertised opportunities for threat actors that could provide credential access via RDP and VPN. Aside from this it is also uses threat emulation like Cobalt Strike and Metasploit to gain foot hold to the targeted host and persist if needed.", "references": ["https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html", "https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/", "https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom", "https://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html"], "tags": {"name": "LockBit Ransomware", "analytic_story": "LockBit Ransomware", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.003", "mitre_attack_technique": "CMSTP", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group", "MuddyWater"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "TA505"]}, {"mitre_attack_id": "T1491", "mitre_attack_technique": "Defacement", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Impact", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - CMLUA Or CMSTPLUA UAC Bypass - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Fsutil Zeroing File - Rule", "ESCU - High Process Termination Frequency - Rule", "ESCU - Known Services Killed by Ransomware - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Ransomware Notes bulk creation - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - UAC Bypass With Colorui COM Object - Rule", "ESCU - Wbemprox COM Object Execution - Rule", "ESCU - Windows Modify Registry Default Icon Setting - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMLUA Or CMSTPLUA UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "CMSTP"}]}}, {"name": "Cobalt Strike Named Pipes", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Fsutil Zeroing File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "High Process Termination Frequency", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}}, {"name": "Known Services Killed by Ransomware", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Defacement"}]}}, {"name": "Ransomware Notes bulk creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "UAC Bypass With Colorui COM Object", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "CMSTP"}]}}, {"name": "Wbemprox COM Object Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "CMSTP"}]}}, {"name": "Windows Modify Registry Default Icon Setting", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}]}, {"name": "Prestige Ransomware", "author": "Teoderick Contreras, Splunk", "date": "2022-11-30", "version": 1, "id": "8b8d8506-b931-450c-b794-f24184ca1deb", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Prestige Ransomware", "narrative": "This story addresses Prestige ransomware. This ransomware payload seen by Microsoft Threat Intelligence Center(MSTIC) as a ransomware campaign targeting organization in the transportation and logistic industries in some countries. This ransomware campaign highlight the destructive attack to its target organization that directly supplies or transporting military and humanitarian services or assistance. MSTIC observed this ransomware has similarities in terms of its deployment techniques with CaddyWiper and HermeticWiper which is also known malware campaign impacted multiple targeted critical infrastructure organizations. This analytic story will provide techniques and analytics that may help SOC or security researchers to monitor this threat.", "references": ["https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"name": "Prestige Ransomware", "analytic_story": "Prestige Ransomware", "category": ["Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1070.005", "mitre_attack_technique": "Network Share Connection Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Threat Group-3390"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "FIN13", "TA505"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "FIN7", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla", "Volt Typhoon"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1531", "mitre_attack_technique": "Account Access Removal", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1016.001", "mitre_attack_technique": "Internet Connection Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT29", "FIN13", "FIN8", "Gamaredon Group", "HAFNIUM", "HEXANE", "Magic Hound", "TA2541", "Turla"]}, {"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1003.005", "mitre_attack_technique": "Cached Domain Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "Leafminer", "MuddyWater", "OilRig"]}, {"mitre_attack_id": "T1115", "mitre_attack_technique": "Clipboard Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT38", "APT39"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1552.002", "mitre_attack_technique": "Credentials in Registry", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT32"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1202", "mitre_attack_technique": "Indirect Command Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "FIN13", "FIN8", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TA2541", "TeamTNT", "Tropic Trooper", "Turla", "Volt Typhoon", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}, {"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "Volt Typhoon", "ZIRCONIUM"]}, {"mitre_attack_id": "T1555.005", "mitre_attack_technique": "Password Managers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Fox Kitten", "LAPSUS$", "Threat Group-3390"]}, {"mitre_attack_id": "T1552.004", "mitre_attack_technique": "Private Keys", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1547.005", "mitre_attack_technique": "Security Support Provider", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Collection", "Credential Access", "Defense Evasion", "Discovery", "Execution", "Impact", "Lateral Movement", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - Change Default File Association - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Create or delete windows shares using net exe - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Domain Group Discovery With Net - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Excessive Usage Of Cacls App - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Connection Discovery With Net - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Network Discovery Using Route Windows App - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - WBAdmin Delete System Backups - Rule", "ESCU - Windows Cached Domain Credentials Reg Query - Rule", "ESCU - Windows Change Default File Association For No File Ext - Rule", "ESCU - Windows ClipBoard Data via Get-ClipBoard - Rule", "ESCU - Windows Credentials from Password Stores Query - Rule", "ESCU - Windows Credentials in Registry Reg Query - Rule", "ESCU - Windows Indirect Command Execution Via Series Of Forfiles - Rule", "ESCU - Windows Information Discovery Fsutil - Rule", "ESCU - Windows Modify Registry Reg Restore - Rule", "ESCU - Windows Password Managers Discovery - Rule", "ESCU - Windows Private Keys Discovery - Rule", "ESCU - Windows Query Registry Reg Save - Rule", "ESCU - Windows Security Support Provider Reg Query - Rule", "ESCU - Windows Service Stop Via Net  and SC Application - Rule", "ESCU - Windows Steal or Forge Kerberos Tickets Klist - Rule", "ESCU - Windows System Network Config Discovery Display DNS - Rule", "ESCU - Windows System Network Connections Discovery Netsh - Rule", "ESCU - Windows System User Discovery Via Quser - Rule", "ESCU - Windows WMI Process And Service List - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Change Default File Association", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Change Default File Association"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Create or delete windows shares using net exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Network Share Connection Removal"}]}}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Domain Group Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Excessive Usage Of Cacls App", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Access Removal"}]}}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}}, {"name": "Network Connection Discovery With Arp", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Network Connection Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Network Discovery Using Route Windows App", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Internet Connection Discovery"}]}}, {"name": "Ntdsutil Export NTDS", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "WBAdmin Delete System Backups", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Windows Cached Domain Credentials Reg Query", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cached Domain Credentials"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows Change Default File Association For No File Ext", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Change Default File Association"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Windows ClipBoard Data via Get-ClipBoard", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Clipboard Data"}]}}, {"name": "Windows Credentials from Password Stores Query", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}]}}, {"name": "Windows Credentials in Registry Reg Query", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials in Registry"}, {"mitre_attack_technique": "Unsecured Credentials"}]}}, {"name": "Windows Indirect Command Execution Via Series Of Forfiles", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indirect Command Execution"}]}}, {"name": "Windows Information Discovery Fsutil", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Information Discovery"}]}}, {"name": "Windows Modify Registry Reg Restore", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows Password Managers Discovery", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Managers"}]}}, {"name": "Windows Private Keys Discovery", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Private Keys"}, {"mitre_attack_technique": "Unsecured Credentials"}]}}, {"name": "Windows Query Registry Reg Save", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows Security Support Provider Reg Query", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Support Provider"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Windows Service Stop Via Net  and SC Application", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Windows Steal or Forge Kerberos Tickets Klist", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}}, {"name": "Windows System Network Config Discovery Display DNS", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Configuration Discovery"}]}}, {"name": "Windows System Network Connections Discovery Netsh", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Windows System User Discovery Via Quser", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Owner/User Discovery"}]}}, {"name": "Windows WMI Process And Service List", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}]}, {"name": "Revil Ransomware", "author": "Teoderick Contreras, Splunk", "date": "2021-06-04", "version": 1, "id": "817cae42-f54b-457a-8a36-fbf45521e29e", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Revil ransomware, including looking for file writes associated with Revil, encrypting network shares, deleting shadow volume storage, registry key modification, deleting of security logs, and more.", "narrative": "Revil ransomware is a RaaS,that a single group may operates and manges the development of this ransomware. It involve the use of ransomware payloads along with exfiltration of data. Malicious actors demand payment for ransome of data and threaten deletion and exposure of exfiltrated data.", "references": ["https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/"], "tags": {"name": "Revil Ransomware", "analytic_story": "Revil Ransomware", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.007", "mitre_attack_technique": "Disable or Modify Cloud Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1491", "mitre_attack_technique": "Defacement", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.003", "mitre_attack_technique": "CMSTP", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group", "MuddyWater"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Impact", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Allow Network Discovery In Firewall - Rule", "ESCU - Delete ShadowCopy With PowerShell - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Msmpeng Application DLL Side Loading - Rule", "ESCU - Powershell Disable Security Monitoring - Rule", "ESCU - Revil Common Exec Parameter - Rule", "ESCU - Revil Registry Entry - Rule", "ESCU - Wbemprox COM Object Execution - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Allow Network Discovery In Firewall", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Delete ShadowCopy With PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Defacement"}]}}, {"name": "Msmpeng Application DLL Side Loading", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Powershell Disable Security Monitoring", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Revil Common Exec Parameter", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "User Execution"}]}}, {"name": "Revil Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Wbemprox COM Object Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "CMSTP"}]}}]}, {"name": "Rhysida Ransomware", "author": "Teoderick Contreras, Splunk", "date": "2023-12-12", "version": 1, "id": "0925ee49-1185-4484-94ac-7867764a9183", "description": "Utilize analytics designed to identify and delve into atypical behaviors, potentially associated with the Rhysida Ransomware. Employing these searches enables the detection of irregular patterns or actions within systems or networks, serving as proactive measures to spot potential indicators of compromise or ongoing threats. By implementing these search strategies, security analysts can effectively pinpoint anomalous activities, such as unusual file modifications, deviations in system behavior, that could potentially signify the presence or attempt of Rhysida Ransomware infiltration. These searches serve as pivotal tools in the arsenal against such threats, aiding in swift detection, investigation, and mitigation efforts to counter the impact of the Rhysida Ransomware or similar malicious entities.", "narrative": "This story addresses Rhysida ransomware. Rhysida Ransomware emerges as a silent predator, infiltrating systems stealthily and unleashing havoc upon its victims. Employing sophisticated encryption tactics, it swiftly locks critical files and databases, holding them hostage behind an impenetrable digital veil. The haunting demand for ransom sends shockwaves through affected organizations, rendering operations inert and plunging them into a tumultuous struggle between compliance and resilience. Threat actors leveraging Rhysida ransomware are known to impact \"targets of opportunity,\" including victims in the education, healthcare, manufacturing, information technology, and government sectors. Open source reporting details similarities between Vice Society activity and the actors observed deploying Rhysida ransomware. Additionally, open source reporting has confirmed observed instances of Rhysida actors operating in a ransomware-as-a-service (RaaS) capacity, where ransomware tools and infrastructure are leased out in a profit-sharing model. Any ransoms paid are then split between the group and the affiliates.", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a"], "tags": {"name": "Rhysida Ransomware", "analytic_story": "Rhysida Ransomware", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MoustachedBouncer", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1070.001", "mitre_attack_technique": "Clear Windows Event Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "APT38", "APT41", "Chimera", "Dragonfly", "FIN5", "FIN8", "Indrik Spider"]}, {"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "FIN13", "TA505"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "FIN7", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla", "Volt Typhoon"]}, {"mitre_attack_id": "T1531", "mitre_attack_technique": "Account Access Removal", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "TA505"]}, {"mitre_attack_id": "T1491", "mitre_attack_technique": "Defacement", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}, {"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "Chimera", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "Volt Typhoon", "Wizard Spider"]}, {"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Discovery", "Execution", "Impact", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Rare Executables - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Disable Logs Using WevtUtil - Rule", "ESCU - Domain Account Discovery With Net App - Rule", "ESCU - Domain Controller Discovery with Nltest - Rule", "ESCU - Domain Group Discovery With Net - Rule", "ESCU - Elevated Group Discovery With Net - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - High Process Termination Frequency - Rule", "ESCU - Malicious Powershell Executed As A Service - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - Ransomware Notes bulk creation - Rule", "ESCU - SAM Database File Access Attempt - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - SecretDumps Offline NTDS Dumping Tool - Rule", "ESCU - Spike in File Writes - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious wevtutil Usage - Rule", "ESCU - System User Discovery With Whoami - Rule", "ESCU - Windows Modify Registry NoChangingWallPaper - Rule", "ESCU - Windows PowerView AD Access Control List Enumeration - Rule", "ESCU - Windows PowerView Constrained Delegation Discovery - Rule", "ESCU - Windows PowerView Kerberos Service Ticket Request - Rule", "ESCU - Windows PowerView SPN Discovery - Rule", "ESCU - Windows PowerView Unconstrained Delegation Discovery - Rule", "ESCU - Windows Rundll32 Apply User Settings Changes - Rule", "ESCU - WinRM Spawning a Process - Rule", "ESCU - Detect Zerologon via Zeek - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Detect Rare Executables", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Disable Logs Using WevtUtil", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}}, {"name": "Domain Account Discovery With Net App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Domain Controller Discovery with Nltest", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Domain Group Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "Elevated Group Discovery With Net", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Access Removal"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "High Process Termination Frequency", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}}, {"name": "Malicious Powershell Executed As A Service", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Defacement"}]}}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}}, {"name": "NLTest Domain Trust Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Trust Discovery"}]}}, {"name": "Ntdsutil Export NTDS", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Ransomware Notes bulk creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}}, {"name": "SAM Database File Access Attempt", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "SecretDumps Offline NTDS Dumping Tool", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Spike in File Writes", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious wevtutil Usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Clear Windows Event Logs"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "System User Discovery With Whoami", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Owner/User Discovery"}]}}, {"name": "Windows Modify Registry NoChangingWallPaper", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows PowerView AD Access Control List Enumeration", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Accounts"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}}, {"name": "Windows PowerView Constrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Windows PowerView Kerberos Service Ticket Request", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "Windows PowerView SPN Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "Windows PowerView Unconstrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Windows Rundll32 Apply User Settings Changes", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "WinRM Spawning a Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}, {"name": "Detect Zerologon via Zeek", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}]}, {"name": "Ryuk Ransomware", "author": "Jose Hernandez, Splunk", "date": "2020-11-06", "version": 1, "id": "507edc74-13d5-4339-878e-b9744ded1f35", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Ryuk ransomware, including looking for file writes associated with Ryuk, Stopping Security Access Manager, DisableAntiSpyware registry key modification, suspicious psexec use, and more.", "narrative": "Cybersecurity Infrastructure Security Agency (CISA) released Alert (AA20-302A) on October 28th called Ransomware Activity Targeting the Healthcare and Public Health Sector. This alert details TTPs associated with ongoing and possible imminent attacks against the Healthcare sector, and is a joint advisory in coordination with other U.S. Government agencies. The objective of these malicious campaigns is to infiltrate targets in named sectors and to drop ransomware payloads, which will likely cause disruption of service and increase risk of actual harm to the health and safety of patients at hospitals, even with the aggravant of an ongoing COVID-19 pandemic. This document specifically refers to several crimeware exploitation frameworks, emphasizing the use of Ryuk ransomware as payload. The Ryuk ransomware payload is not new. It has been well documented and identified in multiple variants. Payloads need a carrier, and for Ryuk it has often been exploitation frameworks such as Cobalt Strike, or popular crimeware frameworks such as Emotet or Trickbot.", "references": ["https://www.splunk.com/en_us/blog/security/detecting-ryuk-using-splunk-attack-range.html", "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", "https://us-cert.cisa.gov/ncas/alerts/aa20-302a"], "tags": {"name": "Ryuk Ransomware", "analytic_story": "Ryuk Ransomware", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "TA505"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}], "mitre_attack_tactics": ["Defense Evasion", "Discovery", "Execution", "Impact", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Windows connhost exe started forcefully - Rule", "ESCU - BCDEdit Failure Recovery Modification - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Ryuk Test Files Detected - Rule", "ESCU - Ryuk Wake on LAN Command - Rule", "ESCU - Spike in File Writes - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - WBAdmin Delete System Backups - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows Security Account Manager Stopped - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - Remote Desktop Network Bruteforce - Rule", "ESCU - Remote Desktop Network Traffic - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": ["ESCU - Identify Systems Creating Remote Desktop Traffic", "ESCU - Identify Systems Receiving Remote Desktop Traffic", "ESCU - Identify Systems Using Remote Desktop"], "author_company": "Splunk", "author_name": "Jose Hernandez", "detections": [{"name": "Windows connhost exe started forcefully", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}]}}, {"name": "BCDEdit Failure Recovery Modification", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "NLTest Domain Trust Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Trust Discovery"}]}}, {"name": "Ryuk Test Files Detected", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}}, {"name": "Ryuk Wake on LAN Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}]}}, {"name": "Spike in File Writes", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WBAdmin Delete System Backups", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Security Account Manager Stopped", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Remote Desktop Network Bruteforce", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "Remote Desktop Network Traffic", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}]}, {"name": "SamSam Ransomware", "author": "Rico Valdez, Splunk", "date": "2018-12-13", "version": 1, "id": "c4b89506-fbcf-4cb7-bfd6-527e54789604", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the SamSam ransomware, including looking for file writes associated with SamSam, RDP brute force attacks, the presence of files with SamSam ransomware extensions, suspicious psexec use, and more.", "narrative": "The first version of the SamSam ransomware (a.k.a. Samas or SamsamCrypt) was launched in 2015 by a group of Iranian threat actors. The malicious software has affected and continues to affect thousands of victims and has raised almost $6M in ransom.\\\nAlthough categorized under the heading of ransomware, SamSam campaigns have some importance distinguishing characteristics. Most notable is the fact that conventional ransomware is a numbers game. Perpetrators use a \"spray-and-pray\" approach with phishing campaigns or other mechanisms, charging a small ransom (typically under $1,000). The goal is to find a large number of victims willing to pay these mini-ransoms, adding up to a lucrative payday. They use relatively simple methods for infecting systems.\\\nSamSam attacks are different beasts. They have become progressively more targeted and skillful than typical ransomware attacks. First, malicious actors break into a victim's network, surveil it, then run the malware manually. The attacks are tailored to cause maximum damage and the threat actors usually demand amounts in the tens of thousands of dollars.\\\nIn a typical attack on one large healthcare organization in 2018, the company ended up paying a ransom of four Bitcoins, then worth $56,707. Reports showed that access to the company's files was restored within two hours of paying the sum.\\\nAccording to Sophos, SamSam previously leveraged  RDP to gain access to targeted networks via brute force. SamSam is not spread automatically, like other malware. It requires skill because it forces the attacker to adapt their tactics to the individual environment. Next, the actors escalate their privileges to admin level. They scan the networks for worthy targets, using conventional tools, such as PsExec or PaExec, to deploy/execute, quickly encrypting files.\\\nThis Analytic Story includes searches designed to help detect and investigate signs of the SamSam ransomware, such as the creation of fileswrites to system32, writes with tell-tale extensions, batch files written to system32, and evidence of brute-force attacks via RDP.", "references": ["https://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/", "https://nakedsecurity.sophos.com/2018/07/31/samsam-the-almost-6-million-ransomware/", "https://thehackernews.com/2018/07/samsam-ransomware-attacks.html"], "tags": {"name": "SamSam Ransomware", "analytic_story": "SamSam Ransomware", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036.005", "mitre_attack_technique": "Match Legitimate Name or Location", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT32", "APT39", "APT41", "Aoqin Dragon", "BRONZE BUTLER", "BackdoorDiplomacy", "Blue Mockingbird", "Carbanak", "Chimera", "Darkhotel", "Earth Lusca", "FIN13", "FIN7", "Ferocious Kitten", "Fox Kitten", "Gamaredon Group", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Poseidon Group", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "Sowbug", "TA2541", "TEMP.Veles", "TeamTNT", "Transparent Tribe", "Tropic Trooper", "Volt Typhoon", "WIRTE", "Whitefly", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1595", "mitre_attack_technique": "Active Scanning", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "TA505"]}, {"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "FIN13", "FIN8", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TA2541", "TeamTNT", "Tropic Trooper", "Turla", "Volt Typhoon", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Discovery", "Execution", "Impact", "Initial Access", "Lateral Movement", "Persistence", "Reconnaissance"], "datamodels": ["Endpoint", "Network_Traffic", "Web"], "kill_chain_phases": ["Actions on Objectives", "Delivery", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - Prohibited Software On Endpoint - Rule", "ESCU - Attacker Tools On Endpoint - Rule", "ESCU - Batch File Write to System32 - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - File with Samsam Extension - Rule", "ESCU - Samsam Test File Write - Rule", "ESCU - Spike in File Writes - Rule", "ESCU - Remote Desktop Network Bruteforce - Rule", "ESCU - Remote Desktop Network Traffic - Rule", "ESCU - Detect attackers scanning for vulnerable JBoss servers - Rule", "ESCU - Detect malicious requests to exploit JBoss servers - Rule"], "investigation_names": ["ESCU - Get Backup Logs For Endpoint - Response Task", "ESCU - Get History Of Email Sources - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Process Information For Port Activity - Response Task", "ESCU - Investigate Successful Remote Desktop Authentications - Response Task"], "baseline_names": ["ESCU - Add Prohibited Processes to Enterprise Security", "ESCU - Identify Systems Creating Remote Desktop Traffic", "ESCU - Identify Systems Receiving Remote Desktop Traffic", "ESCU - Identify Systems Using Remote Desktop"], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Prohibited Software On Endpoint", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Attacker Tools On Endpoint", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Match Legitimate Name or Location"}, {"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "Active Scanning"}]}}, {"name": "Batch File Write to System32", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "User Execution"}, {"mitre_attack_technique": "Malicious File"}]}}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "File with Samsam Extension", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "Samsam Test File Write", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}}, {"name": "Spike in File Writes", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Remote Desktop Network Bruteforce", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "Remote Desktop Network Traffic", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "Detect attackers scanning for vulnerable JBoss servers", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Information Discovery"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Detect malicious requests to exploit JBoss servers", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "RedLine Stealer", "author": "Teoderick Contreras, Splunk", "date": "2023-04-24", "version": 1, "id": "12e31e8b-671b-4d6e-b362-a682812a71eb", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Redline Stealer trojan, including looking for file writes associated with its payload, screencapture, registry modification, persistence and data collection..", "narrative": "RedLine Stealer is a malware available on underground forum and subscription basis that are compiled or written in C#. This malware is capable of harvesting sensitive information from browsers such as saved credentials, auto file data, browser cookies and credit card information. It also gathers system information of the targeted or compromised host like username, location IP, RAM size available, hardware configuration and software installed. The current version of this malware contains features to steal wallet and crypto currency information.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer", "https://blogs.blackberry.com/en/2021/10/threat-thursday-redline-infostealer-update"], "tags": {"name": "RedLine Stealer", "analytic_story": "RedLine Stealer", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "Volt Typhoon", "ZIRCONIUM"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Discovery", "Execution", "Impact", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Updates"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation"]}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Disabling Defender Services - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Boot or Logon Autostart Execution In Startup Folder - Rule", "ESCU - Windows Credentials from Password Stores Chrome Extension Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows Event For Service Disabled - Rule", "ESCU - Windows Modify Registry Auto Minor Updates - Rule", "ESCU - Windows Modify Registry Auto Update Notif - Rule", "ESCU - Windows Modify Registry Disable WinDefender Notifications - Rule", "ESCU - Windows Modify Registry Do Not Connect To Win Update - Rule", "ESCU - Windows Modify Registry No Auto Reboot With Logon User - Rule", "ESCU - Windows Modify Registry No Auto Update - Rule", "ESCU - Windows Modify Registry Tamper Protection - Rule", "ESCU - Windows Modify Registry UpdateServiceUrlAlternate - Rule", "ESCU - Windows Modify Registry USeWuServer - Rule", "ESCU - Windows Modify Registry WuServer - Rule", "ESCU - Windows Modify Registry wuStatusServer - Rule", "ESCU - Windows Query Registry Browser List Application - Rule", "ESCU - Windows Query Registry UnInstall Program List - Rule", "ESCU - Windows Scheduled Task with Highest Privileges - Rule", "ESCU - Windows Service Stop Win Updates - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disabling Defender Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Windows Boot or Logon Autostart Execution In Startup Folder", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Windows Credentials from Password Stores Chrome Extension Access", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Event For Service Disabled", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Modify Registry Auto Minor Updates", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry Auto Update Notif", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry Disable WinDefender Notifications", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry Do Not Connect To Win Update", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry No Auto Reboot With Logon User", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry No Auto Update", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry Tamper Protection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry UpdateServiceUrlAlternate", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry USeWuServer", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry WuServer", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry wuStatusServer", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Query Registry Browser List Application", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows Query Registry UnInstall Program List", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows Scheduled Task with Highest Privileges", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Windows Service Stop Win Updates", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}]}, {"name": "Remcos", "author": "Teoderick Contreras, Splunk", "date": "2021-09-23", "version": 1, "id": "2bd4aa08-b9a5-40cf-bfe5-7d43f13d496c", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Remcos RAT trojan, including looking for file writes associated with its payload, screencapture, registry modification, UAC bypassed, persistence and data collection..", "narrative": "Remcos or Remote Control and Surveillance, marketed as a legitimate software for remotely managing Windows systems is now widely used in multiple malicious campaigns both APT and commodity malware by threat actors.", "references": ["https://success.trendmicro.com/solution/1123281-remcos-malware-information", "https://attack.mitre.org/software/S0332/", "https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos#:~:text=Remcos%20(acronym%20of%20Remote%20Control,used%20to%20remotely%20control%20computers.&text=Remcos%20can%20be%20used%20for,been%20used%20in%20hacking%20campaigns."], "tags": {"name": "Remcos", "analytic_story": "Remcos", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MoustachedBouncer", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1055.001", "mitre_attack_technique": "Dynamic-link Library Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["BackdoorDiplomacy", "Lazarus Group", "Leviathan", "Putter Panda", "TA505", "Tropic Trooper", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1559.001", "mitre_attack_technique": "Component Object Model", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["Gamaredon Group", "MuddyWater"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1113", "mitre_attack_technique": "Screen Capture", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT39", "BRONZE BUTLER", "Dark Caracal", "Dragonfly", "FIN7", "GOLD SOUTHFIELD", "Gamaredon Group", "Group5", "Magic Hound", "MoustachedBouncer", "MuddyWater", "OilRig", "Silence"]}, {"mitre_attack_id": "T1059.005", "mitre_attack_technique": "Visual Basic", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT33", "APT37", "APT38", "APT39", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Earth Lusca", "FIN13", "FIN4", "FIN7", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "Transparent Tribe", "Turla", "WIRTE", "Windshift"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1036.008", "mitre_attack_technique": "Masquerade File Type", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Volt Typhoon"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1134.004", "mitre_attack_technique": "Parent PID Spoofing", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}], "mitre_attack_tactics": ["Collection", "Credential Access", "Defense Evasion", "Execution", "Initial Access", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - Detect Outlook exe writing a zip file - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Jscript Execution Using Cscript App - Rule", "ESCU - Loading Of Dynwrapx Module - Rule", "ESCU - Malicious InProcServer32 Modification - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning Windows Script Host - Rule", "ESCU - Possible Browser Pass View Parameter - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Process Deleting Its Process File Path - Rule", "ESCU - Process Writing DynamicWrapperX - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Remcos client registry install entry - Rule", "ESCU - Remcos RAT File Creation in Remcos Folder - Rule", "ESCU - Suspicious Image Creation In Appdata Folder - Rule", "ESCU - Suspicious Process DNS Query Known Abuse Web Services - Rule", "ESCU - Suspicious Process Executed From Container File - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious WAV file in Appdata Folder - Rule", "ESCU - System Info Gathering Using Dxdiag Application - Rule", "ESCU - Vbscript Execution Using Wscript App - Rule", "ESCU - Windows Defender Exclusion Registry Entry - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Winhlp32 Spawning a Process - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Add or Set Windows Defender Exclusion", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Detect Outlook exe writing a zip file", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Disabling Remote User Account Control", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Jscript Execution Using Cscript App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}}, {"name": "Loading Of Dynwrapx Module", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Dynamic-link Library Injection"}]}}, {"name": "Malicious InProcServer32 Modification", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Regsvr32"}, {"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning Windows Script Host", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Possible Browser Pass View Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Web Browsers"}, {"mitre_attack_technique": "Credentials from Password Stores"}]}}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Process Deleting Its Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Process Writing DynamicWrapperX", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Component Object Model"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Remcos client registry install entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Remcos RAT File Creation in Remcos Folder", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Screen Capture"}]}}, {"name": "Suspicious Image Creation In Appdata Folder", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Screen Capture"}]}}, {"name": "Suspicious Process DNS Query Known Abuse Web Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Suspicious Process Executed From Container File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Malicious File"}, {"mitre_attack_technique": "Masquerade File Type"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious WAV file in Appdata Folder", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Screen Capture"}]}}, {"name": "System Info Gathering Using Dxdiag Application", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}]}}, {"name": "Vbscript Execution Using Wscript App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows Defender Exclusion Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Malicious Link"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Winhlp32 Spawning a Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Wscript Or Cscript Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Parent PID Spoofing"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}]}, {"name": "Reverse Network Proxy", "author": "Michael Haag, Splunk", "date": "2022-11-16", "version": 1, "id": "265e4127-21fd-43e4-adac-ec5d12274111", "description": "The following analytic story describes applications that may be abused to reverse proxy back into an organization, either for persistence or remote access.", "narrative": "This analytic story covers tools like Ngrok which is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. Ngrok in particular has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration. There are many open source and closed/paid that fall into this reverse proxy category. The analytic story and complemented analytics will be released as more are identified.", "references": ["https://attack.mitre.org/software/S0508/", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf"], "tags": {"name": "Reverse Network Proxy", "analytic_story": "Reverse Network Proxy", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1572", "mitre_attack_technique": "Protocol Tunneling", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Chimera", "Cobalt Group", "FIN13", "FIN6", "Fox Kitten", "Leviathan", "Magic Hound", "OilRig"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "MoustachedBouncer", "POLONIUM", "Sandworm Team", "Turla", "Volt Typhoon", "Windigo"]}, {"mitre_attack_id": "T1102", "mitre_attack_technique": "Web Service", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT32", "EXOTIC LILY", "Ember Bear", "FIN6", "FIN8", "Fox Kitten", "Gamaredon Group", "Inception", "LazyScripter", "Mustang Panda", "Rocke", "TeamTNT", "Turla"]}], "mitre_attack_tactics": ["Command And Control"], "datamodels": ["Endpoint", "Network_Resolution"], "kill_chain_phases": ["Command And Control"]}, "detection_names": ["ESCU - Linux Ngrok Reverse Proxy Usage - Rule", "ESCU - Windows Ngrok Reverse Proxy Usage - Rule", "ESCU - Ngrok Reverse Proxy on Network - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Linux Ngrok Reverse Proxy Usage", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Protocol Tunneling"}, {"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Web Service"}]}}, {"name": "Windows Ngrok Reverse Proxy Usage", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Protocol Tunneling"}, {"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Web Service"}]}}, {"name": "Ngrok Reverse Proxy on Network", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Protocol Tunneling"}, {"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Web Service"}]}}]}, {"name": "Router and Infrastructure Security", "author": "Bhavin Patel, Splunk", "date": "2017-09-12", "version": 1, "id": "91c676cf-0b23-438d-abee-f6335e177e77", "description": "Validate the security configuration of network infrastructure and verify that only authorized users and systems are accessing critical assets. Core routing and switching infrastructure are common strategic targets for attackers.", "narrative": "Networking devices, such as routers and switches, are often overlooked as resources that attackers will leverage to subvert an enterprise. Advanced threats actors have shown a proclivity to target these critical assets as a means to siphon and redirect network traffic, flash backdoored operating systems, and implement cryptographic weakened algorithms to more easily decrypt network traffic.\\\nThis Analytic Story helps you gain a better understanding of how your network devices are interacting with your hosts. By compromising your network devices, attackers can obtain direct access to the company's internal infrastructure&#151; effectively increasing the attack surface and accessing private services/data.", "references": ["https://web.archive.org/web/20210420020040/https://www.fireeye.com/blog/executive-perspective/2015/09/the_new_route_toper.html", "https://www.cisco.com/c/en/us/about/security-center/event-response/synful-knock.html"], "tags": {"name": "Router and Infrastructure Security", "analytic_story": "Router and Infrastructure Security", "category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1200", "mitre_attack_technique": "Hardware Additions", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["DarkVishnya"]}, {"mitre_attack_id": "T1498", "mitre_attack_technique": "Network Denial of Service", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1557", "mitre_attack_technique": "Adversary-in-the-Middle", "mitre_attack_tactics": ["Collection", "Credential Access"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1557.002", "mitre_attack_technique": "ARP Cache Poisoning", "mitre_attack_tactics": ["Collection", "Credential Access"], "mitre_attack_groups": ["Cleaver", "LuminousMoth"]}, {"mitre_attack_id": "T1542.005", "mitre_attack_technique": "TFTP Boot", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1542", "mitre_attack_technique": "Pre-OS Boot", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1020", "mitre_attack_technique": "Automated Exfiltration", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["Gamaredon Group", "Ke3chang", "Sidewinder", "Tropic Trooper"]}, {"mitre_attack_id": "T1020.001", "mitre_attack_technique": "Traffic Duplication", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Collection", "Credential Access", "Defense Evasion", "Exfiltration", "Impact", "Initial Access", "Persistence"], "datamodels": ["Authentication", "Network_Traffic"], "kill_chain_phases": ["Actions on Objectives", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Detect New Login Attempts to Routers - Rule", "ESCU - Detect ARP Poisoning - Rule", "ESCU - Detect IPv6 Network Infrastructure Threats - Rule", "ESCU - Detect Port Security Violation - Rule", "ESCU - Detect Rogue DHCP Server - Rule", "ESCU - Detect Software Download To Network Device - Rule", "ESCU - Detect Traffic Mirroring - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect New Login Attempts to Routers", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "Detect ARP Poisoning", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hardware Additions"}, {"mitre_attack_technique": "Network Denial of Service"}, {"mitre_attack_technique": "Adversary-in-the-Middle"}, {"mitre_attack_technique": "ARP Cache Poisoning"}]}}, {"name": "Detect IPv6 Network Infrastructure Threats", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hardware Additions"}, {"mitre_attack_technique": "Network Denial of Service"}, {"mitre_attack_technique": "Adversary-in-the-Middle"}, {"mitre_attack_technique": "ARP Cache Poisoning"}]}}, {"name": "Detect Port Security Violation", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hardware Additions"}, {"mitre_attack_technique": "Network Denial of Service"}, {"mitre_attack_technique": "Adversary-in-the-Middle"}, {"mitre_attack_technique": "ARP Cache Poisoning"}]}}, {"name": "Detect Rogue DHCP Server", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hardware Additions"}, {"mitre_attack_technique": "Network Denial of Service"}, {"mitre_attack_technique": "Adversary-in-the-Middle"}]}}, {"name": "Detect Software Download To Network Device", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "TFTP Boot"}, {"mitre_attack_technique": "Pre-OS Boot"}]}}, {"name": "Detect Traffic Mirroring", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hardware Additions"}, {"mitre_attack_technique": "Automated Exfiltration"}, {"mitre_attack_technique": "Network Denial of Service"}, {"mitre_attack_technique": "Traffic Duplication"}]}}]}, {"name": "Sandworm Tools", "author": "Teoderick Contreras, Splunk", "date": "2022-04-05", "version": 1, "id": "54146850-9d26-4877-a611-2db33231e63e", "description": "This analytic story features detections that enable security analysts to identify and investigate unusual activities potentially related to the destructive malware and tools employed by the \"Sandworm\" group. This analytic story focuses on monitoring suspicious process executions, command-line activities, Master Boot Record (MBR) wiping, data destruction, and other related indicators.", "narrative": "The Sandworm group's tools are part of destructive malware operations designed to disrupt or attack Ukraine's National Information Agencies. This operation campaign consists of several malware components, including scripts, native Windows executables (LOLBINs), data wiper malware that overwrites or destroys the Master Boot Record (MBR), and file wiping using sdelete.exe on targeted hosts.", "references": ["https://cert.gov.ua/article/3718487", "https://attack.mitre.org/groups/G0034/"], "tags": {"name": "Sandworm Tools", "analytic_story": "Sandworm Tools", "category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1036.004", "mitre_attack_technique": "Masquerade Task or Service", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT41", "BITTER", "BackdoorDiplomacy", "Carbanak", "FIN13", "FIN6", "FIN7", "Fox Kitten", "Higaisa", "Kimsuky", "Lazarus Group", "Magic Hound", "Naikon", "PROMETHIUM", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1550.003", "mitre_attack_technique": "Pass the Ticket", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["APT29", "APT32", "BRONZE BUTLER"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1590.002", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Discovery", "Execution", "Impact", "Lateral Movement", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Icacls Deny Command - Rule", "ESCU - Linux Iptables Firewall Modification - Rule", "ESCU - Linux Kworker Process In Writable Process Path - Rule", "ESCU - Local Account Discovery with Net - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Mimikatz PassTheTicket CommandLine Parameters - Rule", "ESCU - Permission Modification using Takeown App - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows DNS Gather Network Info - Rule", "ESCU - Windows High File Deletion Frequency - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Mimikatz Crypto Export File Extensions - Rule", "ESCU - Windows System Shutdown CommandLine - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Icacls Deny Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "Linux Iptables Firewall Modification", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Linux Kworker Process In Writable Process Path", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerade Task or Service"}, {"mitre_attack_technique": "Masquerading"}]}}, {"name": "Local Account Discovery with Net", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}]}}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}}, {"name": "Mimikatz PassTheTicket CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Ticket"}]}}, {"name": "Permission Modification using Takeown App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Suspicious Copy on System32", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "Masquerading"}]}}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "System Network Connections Discovery"}, {"mitre_attack_technique": "System Owner/User Discovery"}, {"mitre_attack_technique": "System Shutdown/Reboot"}, {"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows DNS Gather Network Info", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DNS"}]}}, {"name": "Windows High File Deletion Frequency", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Windows Mimikatz Binary Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows Mimikatz Crypto Export File Extensions", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}}, {"name": "Windows System Shutdown CommandLine", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}]}, {"name": "Scheduled Tasks", "author": "Michael Haag, Splunk", "date": "2023-06-12", "version": 1, "id": "94cff925-d05c-40cf-b925-d6c5702a2399", "description": "The MITRE ATT&CK technique T1053 refers to Scheduled Task/Job. Adversaries might use task scheduling utilities to execute programs or scripts at a predefined date and time. This method is often used for persistence but can also be used for privilege escalation or to execute tasks under certain conditions. Scheduling tasks can be beneficial for an attacker as it can allow them to execute actions at times when the system is less likely to be monitored actively. Different operating systems have different utilities for task scheduling, for example, Unix-like systems have Cron, while Windows has Scheduled Tasks and At Jobs.", "narrative": "MITRE ATT&CK technique T1053, labeled \"Scheduled Task/Job\", is a categorization of methods that adversaries use to execute malicious code by scheduling tasks or jobs on a system. This technique is widely utilized for persistence, privilege escalation, and the remote execution of tasks. The technique is applicable across various environments and platforms, including Windows, Linux, and macOS.\\\nThe technique consists of multiple sub-techniques, each highlighting a distinct mechanism for scheduling tasks or jobs. These sub-techniques include T1053.001 (Scheduled Task), T1053.002 (At for Windows), T1053.003 (Cron), T1053.004 (Launchd), T1053.005 (At for Linux), and T1053.006 (Systemd Timers).\\\nScheduled Task (T1053.001) focuses on adversaries' methods for scheduling tasks on a Windows system to maintain persistence or escalate privileges. These tasks can be set to execute at specified times, in response to particular events, or after a defined time interval.\\\nThe At command for Windows (T1053.002) enables administrators to schedule tasks on a Windows system. Adversaries may exploit this command to execute programs at system startup or at a predetermined schedule for persistence.\\\nCron (T1053.003) is a built-in job scheduler found in Unix-like operating systems. Adversaries can use cron jobs to execute programs at system startup or on a scheduled basis for persistence.\\\nLaunchd (T1053.004) is a service management framework present in macOS. Adversaries may utilize launchd to maintain persistence on macOS systems by setting up daemons or agents to execute at specific times or in response to defined events.\\\nThe At command for Linux (T1053.005) enables administrators to schedule tasks on a Linux system. Adversaries can use this command to execute programs at system startup or on a scheduled basis for persistence.\\\nSystemd Timers (T1053.006) offer a means of scheduling tasks on Linux systems using systemd. Adversaries can use systemd timers to execute programs at system startup or on a scheduled basis for persistence.\\\nDetection and mitigation strategies vary for each sub-technique. For instance, monitoring the creation of scheduled tasks or looking for uncorrelated changes to tasks that do not align with known software or patch cycles can be effective for detecting malicious activity related to this technique. Mitigation strategies may involve restricting permissions and applying application control solutions to prevent adversaries from scheduling tasks.", "references": ["https://attack.mitre.org/techniques/T1053/"], "tags": {"name": "Scheduled Tasks", "analytic_story": "Scheduled Tasks", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.003", "mitre_attack_technique": "Cron", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT38", "Rocke"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1053.002", "mitre_attack_technique": "At", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "BRONZE BUTLER", "Threat Group-3390"]}, {"mitre_attack_id": "T1053.006", "mitre_attack_technique": "Systemd Timers", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1021.006", "mitre_attack_technique": "Windows Remote Management", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Chimera", "FIN13", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1218.014", "mitre_attack_technique": "MMC", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Linux Add Files In Known Crontab Directories - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux At Allow Config File Creation - Rule", "ESCU - Linux At Application Execution - Rule", "ESCU - Linux Edit Cron Table Parameter - Rule", "ESCU - Linux Possible Append Command To At Allow Config File - Rule", "ESCU - Linux Possible Append Cronjob Entry on Existing Cronjob File - Rule", "ESCU - Linux Possible Cronjob Modification With Editor - Rule", "ESCU - Linux Service File Created In Systemd Directory - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Service Started Or Enabled - Rule", "ESCU - Possible Lateral Movement PowerShell Spawn - Rule", "ESCU - Randomly Generated Scheduled Task Name - Rule", "ESCU - Schedule Task with HTTP Command Arguments - Rule", "ESCU - Schedule Task with Rundll32 Command Trigger - Rule", "ESCU - Scheduled Task Creation on Remote Endpoint using At - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Scheduled Task Initiation on Remote Endpoint - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Schtasks used for forcing a reboot - Rule", "ESCU - Short Lived Scheduled Task - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Svchost LOLBAS Execution Process Spawn - Rule", "ESCU - Windows Enable Win32 ScheduledJob via Registry - Rule", "ESCU - Windows Hidden Schedule Task Settings - Rule", "ESCU - Windows PowerShell ScheduleTask - Rule", "ESCU - Windows Registry Delete Task SD - Rule", "ESCU - Windows Scheduled Task Created Via XML - Rule", "ESCU - Windows Scheduled Task with Highest Privileges - Rule", "ESCU - Windows Schtasks Create Run As System - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Linux Add Files In Known Crontab Directories", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux At Allow Config File Creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux At Application Execution", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "At"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Edit Cron Table Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Possible Append Command To At Allow Config File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "At"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Possible Append Cronjob Entry on Existing Cronjob File", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Possible Cronjob Modification With Editor", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Service File Created In Systemd Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Service Started Or Enabled", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Possible Lateral Movement PowerShell Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Remote Management"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "MMC"}]}}, {"name": "Randomly Generated Scheduled Task Name", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Schedule Task with HTTP Command Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Schedule Task with Rundll32 Command Trigger", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Scheduled Task Creation on Remote Endpoint using At", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "At"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Scheduled Task Initiation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Schtasks Run Task On Demand", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Schtasks used for forcing a reboot", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Short Lived Scheduled Task", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Svchost LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Windows Enable Win32 ScheduledJob via Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Windows Hidden Schedule Task Settings", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Windows PowerShell ScheduleTask", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows Registry Delete Task SD", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Scheduled Task Created Via XML", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Windows Scheduled Task with Highest Privileges", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Windows Schtasks Create Run As System", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}]}, {"name": "Signed Binary Proxy Execution InstallUtil", "author": "Michael Haag, Splunk", "date": "2021-11-12", "version": 1, "id": "9482a314-43dc-11ec-a3c9-acde48001122", "description": "Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility.", "narrative": "InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. InstallUtil is digitally signed by Microsoft and located in the .NET directories on a Windows system: C:\\Windows\\Microsoft.NET\\Framework\\v\\InstallUtil.exe and C:\\Windows\\Microsoft.NET\\Framework64\\v\\InstallUtil.exe. \\\nThere are multiple ways to instantiate InstallUtil and they are all outlined within Atomic Red Team - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md. Two specific ways may be used and that includes invoking via  installer assembly class constructor through .NET and via InstallUtil.exe. \\\nTypically, adversaries will utilize the most commonly found way to invoke via InstallUtil Uninstall method. \\\nNote that parallel processes, and parent process, play a role in how InstallUtil is being used. In particular, a developer using InstallUtil will spawn from VisualStudio. Adversaries, will spawn from non-standard processes like Explorer.exe, cmd.exe or PowerShell.exe. It's important to review the command-line to identify the DLL being loaded. \\\nParallel processes may also include csc.exe being used to compile a local `.cs` file. This file will be the input to the output. Developers usually do not build direct on the command shell, therefore this should raise suspicion.", "references": ["https://attack.mitre.org/techniques/T1218/004/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"], "tags": {"name": "Signed Binary Proxy Execution InstallUtil", "analytic_story": "Signed Binary Proxy Execution InstallUtil", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows InstallUtil Credential Theft - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows InstallUtil Remote Network Connection - Rule", "ESCU - Windows InstallUtil Uninstall Option - Rule", "ESCU - Windows InstallUtil Uninstall Option with Network - Rule", "ESCU - Windows InstallUtil URL in Command Line - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows DotNet Binary in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}}, {"name": "Windows InstallUtil Credential Theft", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}}, {"name": "Windows InstallUtil Remote Network Connection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Windows InstallUtil Uninstall Option", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Windows InstallUtil Uninstall Option with Network", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Windows InstallUtil URL in Command Line", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}]}, {"name": "Silver Sparrow", "author": "Michael Haag, Splunk", "date": "2021-02-24", "version": 1, "id": "cb4f48fe-7699-11eb-af77-acde48001122", "description": "Silver Sparrow, identified by Red Canary Intelligence, is a new forward looking MacOS (Intel and M1) malicious software downloader utilizing JavaScript for execution and a launchAgent to establish persistence.", "narrative": "Silver Sparrow works is a dropper and uses typical persistence mechanisms on a Mac. It is cross platform, covering both Intel and Apple M1 architecture. To this date, no implant has been downloaded for malicious purposes. During installation of the update.pkg or updater.pkg file, the malicious software utilizes JavaScript to generate files and scripts on disk for persistence.These files later download a implant from an S3 bucket every hour. This analytic assists with identifying different types of macOS malware families establishing LaunchAgent persistence. Per SentinelOne source, it is predicted that Silver Sparrow is likely selling itself as a mechanism to 3rd party Caffiliates or pay-per-install (PPI) partners, typically seen as commodity adware/malware. Additional indicators and behaviors may be found within the references.", "references": ["https://redcanary.com/blog/clipping-silver-sparrows-wings/", "https://www.sentinelone.com/blog/5-things-you-need-to-know-about-silver-sparrow/"], "tags": {"name": "Silver Sparrow", "analytic_story": "Silver Sparrow", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1543.001", "mitre_attack_technique": "Launch Agent", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1074", "mitre_attack_technique": "Data Staged", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Volt Typhoon", "Wizard Spider"]}], "mitre_attack_tactics": ["Collection", "Command And Control", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command And Control", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Suspicious Curl Network Connection - Rule", "ESCU - Suspicious PlistBuddy Usage - Rule", "ESCU - Suspicious PlistBuddy Usage via OSquery - Rule", "ESCU - Suspicious SQLite3 LSQuarantine Behavior - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Suspicious Curl Network Connection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Suspicious PlistBuddy Usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Launch Agent"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious PlistBuddy Usage via OSquery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Launch Agent"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious SQLite3 LSQuarantine Behavior", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Staged"}]}}]}, {"name": "Snake Malware", "author": "Michael Haag, Splunk", "date": "2023-05-10", "version": 1, "id": "032bacbb-f90d-43aa-bbcc-d87f169a29c8", "description": "The Snake implant is considered the most sophisticated cyber espionage tool designed and used by Center 16 of Russia's Federal Security Service (FSB) for long-term intelligence collection on sensitive targets.", "narrative": "The Snake implant is considered the most sophisticated cyber espionage tool designed and used by Center 16 of Russia's Federal Security Service (FSB) for long-term intelligence collection on sensitive targets. To conduct operations using this tool, the FSB created a covert peer-to-peer (P2P) network of numerous Snake-infected computers worldwide. Many systems in this P2P network serve as relay nodes which route disguised operational traffic to and from Snake implants on the FSB's ultimate targets. Snake's custom communications protocols employ encryption and fragmentation for confidentiality and are designed to hamper detection and collection efforts. We consider Snake to be the most sophisticated cyber espionage tool in the FSB's arsenal. The sophistication of Snake stems from three principal areas. First, Snake employs means to achieve a rare level of stealth in its host components and network communications. Second, Snake's internal technical architecture allows for easy incorporation of new or replacement components. This design also facilitates the development and interoperability of Snake instances running on different host operating systems. We have observed interoperable Snake implants for Windows, MacOS, and Linux operating systems. Lastly, Snake demonstrates careful software engineering design and implementation, with the implant containing surprisingly few bugs given its complexity. (CISA, 2023)", "references": ["https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF"], "tags": {"name": "Snake Malware", "analytic_story": "Snake Malware", "category": ["Adversary Tactics", "Account Compromise", "Lateral Movement", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1547.006", "mitre_attack_technique": "Kernel Modules and Extensions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows Service Created Within Public Path - Rule", "ESCU - Windows Snake Malware File Modification Crmlog - Rule", "ESCU - Windows Snake Malware Kernel Driver Comadmin - Rule", "ESCU - Windows Snake Malware Registry Modification wav OpenWithProgIds - Rule", "ESCU - Windows Snake Malware Service Create - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Windows Service Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Windows Snake Malware File Modification Crmlog", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}}, {"name": "Windows Snake Malware Kernel Driver Comadmin", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kernel Modules and Extensions"}]}}, {"name": "Windows Snake Malware Registry Modification wav OpenWithProgIds", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Snake Malware Service Create", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Service Execution"}]}}]}, {"name": "Sneaky Active Directory Persistence Tricks", "author": "Dean Luxton, Mauricio Velazco, Splunk", "date": "2022-08-29", "version": 1, "id": "f676c4c1-c769-4ecb-9611-5fd85b497c56", "description": "Monitor for activities and techniques associated with Windows Active Directory persistence techniques.", "narrative": "Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Active Directory is a centralized and hierarchical database that stores information about users, computers, and other resources on a network. It provides secure and efficient management of these resources and enables administrators to enforce security policies and delegate administrative tasks.\\\nIn 2015 Active Directory security researcher Sean Metcalf published a blog post titled `Sneaky Active Directory Persistence Tricks`. In this blog post, Sean described several methods through which an attacker could persist administrative access on an Active Directory network after having Domain Admin level rights for a short period of time. At the time of writing, 8 years after the initial blog post, most of these techniques are still possible since they abuse legitimate administrative functionality and not software vulnerabilities. Security engineers defending Active Directory networks should be aware of these technique available to adversaries post exploitation and deploy both preventive and detective security controls for them.\\\nThis analytic story groups detection opportunities for most of the techniques described on Seans blog post as well as other high impact attacks against Active Directory networks and Domain Controllers like DCSync and DCShadow. For some of these detection opportunities, it is necessary to enable the necessary GPOs and SACLs required, otherwise the event codes will not trigger. Each detection includes a list of requirements for enabling logging.", "references": ["https://adsecurity.org/?p=1929", "https://www.youtube.com/watch?v=Lz6haohGAMc&feature=youtu.be", "https://adsecurity.org/wp-content/uploads/2015/09/DEFCON23-2015-Metcalf-RedvsBlue-ADAttackAndDefense-Final.pdf", "https://attack.mitre.org/tactics/TA0003/", "https://www.dcshadow.com", "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://www.linkedin.com/pulse/mimikatz-dcsync-event-log-detections-john-dwyer"], "tags": {"name": "Sneaky Active Directory Persistence Tricks", "analytic_story": "Windows Domain Controller Attacks", "category": ["Adversary Tactics", "Account Compromise", "Lateral Movement", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1134.005", "mitre_attack_technique": "SID-History Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1207", "mitre_attack_technique": "Rogue Domain Controller", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1484", "mitre_attack_technique": "Domain Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1003.006", "mitre_attack_technique": "DCSync", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Earth Lusca", "LAPSUS$"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1484.001", "mitre_attack_technique": "Group Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Indrik Spider"]}, {"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "Chimera", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "Volt Typhoon", "Wizard Spider"]}, {"mitre_attack_id": "T1547.005", "mitre_attack_technique": "Security Support Provider", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Authentication", "Change", "Endpoint", "Network_Traffic"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Windows AD AdminSDHolder ACL Modified - Rule", "ESCU - Windows AD Cross Domain SID History Addition - Rule", "ESCU - Windows AD Domain Controller Audit Policy Disabled - Rule", "ESCU - Windows AD Domain Controller Promotion - Rule", "ESCU - Windows AD Domain Replication ACL Addition - Rule", "ESCU - Windows AD DSRM Account Changes - Rule", "ESCU - Windows AD DSRM Password Reset - Rule", "ESCU - Windows AD Privileged Account SID History Addition - Rule", "ESCU - Windows AD Replication Request Initiated by User Account - Rule", "ESCU - Windows AD Replication Request Initiated from Unsanctioned Location - Rule", "ESCU - Windows AD Same Domain SID History Addition - Rule", "ESCU - Windows AD ServicePrincipalName Added To Domain Account - Rule", "ESCU - Windows AD Short Lived Domain Account ServicePrincipalName - Rule", "ESCU - Windows AD Short Lived Domain Controller SPN Attribute - Rule", "ESCU - Windows AD Short Lived Server Object - Rule", "ESCU - Windows AD SID History Attribute Modified - Rule", "ESCU - Windows Admon Default Group Policy Object Modified - Rule", "ESCU - Windows Admon Group Policy Object Created - Rule", "ESCU - Windows Default Group Policy Object Modified - Rule", "ESCU - Windows Default Group Policy Object Modified with GPME - Rule", "ESCU - Windows Group Policy Object Created - Rule", "ESCU - Windows Security Support Provider Reg Query - Rule", "ESCU - Windows AD Replication Service Traffic - Rule", "ESCU - Windows AD Rogue Domain Controller Network Activity - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Mauricio Velazco, Splunk", "author_name": "Dean Luxton", "detections": [{"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Windows AD AdminSDHolder ACL Modified", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Windows AD Cross Domain SID History Addition", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SID-History Injection"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}, {"name": "Windows AD Domain Controller Audit Policy Disabled", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}]}}, {"name": "Windows AD Domain Controller Promotion", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rogue Domain Controller"}]}}, {"name": "Windows AD Domain Replication ACL Addition", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Policy Modification"}]}}, {"name": "Windows AD DSRM Account Changes", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Windows AD DSRM Password Reset", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Windows AD Privileged Account SID History Addition", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SID-History Injection"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}, {"name": "Windows AD Replication Request Initiated by User Account", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DCSync"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows AD Replication Request Initiated from Unsanctioned Location", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DCSync"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows AD Same Domain SID History Addition", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SID-History Injection"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}, {"name": "Windows AD ServicePrincipalName Added To Domain Account", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Windows AD Short Lived Domain Account ServicePrincipalName", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Windows AD Short Lived Domain Controller SPN Attribute", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rogue Domain Controller"}]}}, {"name": "Windows AD Short Lived Server Object", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rogue Domain Controller"}]}}, {"name": "Windows AD SID History Attribute Modified", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Access Token Manipulation"}, {"mitre_attack_technique": "SID-History Injection"}]}}, {"name": "Windows Admon Default Group Policy Object Modified", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}]}}, {"name": "Windows Admon Group Policy Object Created", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}]}}, {"name": "Windows Default Group Policy Object Modified", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}]}}, {"name": "Windows Default Group Policy Object Modified with GPME", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}]}}, {"name": "Windows Group Policy Object Created", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}, {"mitre_attack_technique": "Domain Accounts"}]}}, {"name": "Windows Security Support Provider Reg Query", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Support Provider"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Windows AD Replication Service Traffic", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "DCSync"}, {"mitre_attack_technique": "Rogue Domain Controller"}]}}, {"name": "Windows AD Rogue Domain Controller Network Activity", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rogue Domain Controller"}]}}]}, {"name": "Spearphishing Attachments", "author": "Splunk Research Team, Splunk", "date": "2019-04-29", "version": 1, "id": "57226b40-94f3-4ce5-b101-a75f67759c27", "description": "Detect signs of malicious payloads that may indicate that your environment has been breached via a phishing attack.", "narrative": "Despite its simplicity, phishing remains the most pervasive and dangerous cyberthreat. In fact, research shows that as many as [91% of all successful attacks](https://digitalguardian.com/blog/91-percent-cyber-attacks-start-phishing-email-heres-how-protect-against-phishing) are initiated via a phishing email. \\\nAs most people know, these emails use fraudulent domains, [email scraping](https://www.cyberscoop.com/emotet-trojan-phishing-scraping-templates-cofense-geodo/), familiar contact names inserted as senders, and other tactics to lure targets into clicking a malicious link, opening an attachment with a [nefarious payload](https://www.cyberscoop.com/emotet-trojan-phishing-scraping-templates-cofense-geodo/), or entering sensitive personal information that perpetrators may intercept. This attack technique requires a relatively low level of skill and allows adversaries to easily cast a wide net. Worse, because its success relies on the gullibility of humans, it's impossible to completely \"automate\" it out of your environment. However, you can use ES and ESCU to detect and investigate potentially malicious payloads injected into your environment subsequent to a phishing attack. \\\nWhile any kind of file may contain a malicious payload, some are more likely to be perceived as benign (and thus more often escape notice) by the average victim&#151;especially when the attacker sends an email that seems to be from one of their contacts. An example is Microsoft Office files. Most corporate users are familiar with documents with the following suffixes: .doc/.docx (MS Word), .xls/.xlsx (MS Excel), and .ppt/.pptx (MS PowerPoint), so they may click without a second thought, slashing a hole in their organizations' security. \\\nFollowing is a typical series of events, according to an [article by Trend Micro](https://blog.trendmicro.com/trendlabs-security-intelligence/rising-trend-attackers-using-lnk-files-download-malware/):\\\n1. Attacker sends a phishing email. Recipient downloads the attached file, which is typically a .docx or .zip file with an embedded .lnk file\\\n1. The .lnk file executes a PowerShell script\\\n1. Powershell executes a reverse shell, rendering the exploit successful </ol>As a side note, adversaries are likely to use a tool like Empire to craft and obfuscate payloads and their post-injection activities, such as [exfiltration, lateral movement, and persistence](https://github.com/EmpireProject/Empire).\\\nThis Analytic Story focuses on detecting signs that a malicious payload has been injected into your environment. For example, one search detects outlook.exe writing a .zip file. Another looks for suspicious .lnk files launching processes.", "references": ["https://www.fireeye.com/blog/threat-research/2019/04/spear-phishing-campaign-targets-ukraine-government.html"], "tags": {"name": "Spearphishing Attachments", "analytic_story": "Spearphishing Attachments", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1036.002", "mitre_attack_technique": "Right-to-Left Override", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["BRONZE BUTLER", "BlackTech", "Ferocious Kitten", "Ke3chang", "Scarlet Mimic"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1566.002", "mitre_attack_technique": "Spearphishing Link", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1564.003", "mitre_attack_technique": "Hidden Window", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "CopyKittens", "DarkHydrus", "Deep Panda", "Gamaredon Group", "Gorgon Group", "Higaisa", "Kimsuky", "Magic Hound", "Nomadic Octopus"]}, {"mitre_attack_id": "T1564.006", "mitre_attack_technique": "Run Virtual Instance", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Execution", "Initial Access"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Gdrive suspicious file sharing - Rule", "ESCU - Gsuite suspicious calendar invite - Rule", "ESCU - Detect Outlook exe writing a zip file - Rule", "ESCU - Detect RTLO In File Name - Rule", "ESCU - Detect RTLO In Process - Rule", "ESCU - Excel Spawning PowerShell - Rule", "ESCU - Excel Spawning Windows Script Host - Rule", "ESCU - MSHTML Module Load in Office Product - Rule", "ESCU - Office Application Spawn rundll32 process - Rule", "ESCU - Office Document Creating Schedule Task - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Document Spawned Child Process To Download - Rule", "ESCU - Office Product Spawning BITSAdmin - Rule", "ESCU - Office Product Spawning CertUtil - Rule", "ESCU - Office Product Spawning MSHTA - Rule", "ESCU - Office Product Spawning Rundll32 with no DLL - Rule", "ESCU - Office Product Spawning Windows Script Host - Rule", "ESCU - Office Product Spawning Wmic - Rule", "ESCU - Office Product Writing cab or inf - Rule", "ESCU - Office Spawning Control - Rule", "ESCU - Process Creating LNK file in Suspicious Location - Rule", "ESCU - Windows ConHost with Headless Argument - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Office Product Spawning MSDT - Rule", "ESCU - Windows Phishing PDF File Executes URL Link - Rule", "ESCU - Windows Spearphishing Attachment Connect To None MS Office Domain - Rule", "ESCU - Windows Spearphishing Attachment Onenote Spawn Mshta - Rule", "ESCU - Winword Spawning Cmd - Rule", "ESCU - Winword Spawning PowerShell - Rule", "ESCU - Winword Spawning Windows Script Host - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Splunk Research Team", "detections": [{"name": "Gdrive suspicious file sharing", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}]}}, {"name": "Gsuite suspicious calendar invite", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}]}}, {"name": "Detect Outlook exe writing a zip file", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Detect RTLO In File Name", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Right-to-Left Override"}, {"mitre_attack_technique": "Masquerading"}]}}, {"name": "Detect RTLO In Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Right-to-Left Override"}, {"mitre_attack_technique": "Masquerading"}]}}, {"name": "Excel Spawning PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Excel Spawning Windows Script Host", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "MSHTML Module Load in Office Product", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Application Spawn rundll32 process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Document Creating Schedule Task", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Document Spawned Child Process To Download", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning BITSAdmin", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning CertUtil", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning MSHTA", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning Rundll32 with no DLL", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning Windows Script Host", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning Wmic", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Writing cab or inf", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Spawning Control", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Process Creating LNK file in Suspicious Location", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Link"}]}}, {"name": "Windows ConHost with Headless Argument", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hidden Window"}, {"mitre_attack_technique": "Run Virtual Instance"}]}}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Malicious Link"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "Windows Office Product Spawning MSDT", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Windows Phishing PDF File Executes URL Link", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Windows Spearphishing Attachment Connect To None MS Office Domain", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Windows Spearphishing Attachment Onenote Spawn Mshta", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Winword Spawning Cmd", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Winword Spawning PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Winword Spawning Windows Script Host", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}]}, {"name": "Splunk Vulnerabilities", "author": "Lou Stella, Splunk", "date": "2023-11-16", "version": 1, "id": "5354df00-dce2-48ac-9a64-8adb48006828", "description": "Keeping your Splunk Enterprise deployment up to date is critical and will help you reduce the risk associated with vulnerabilities in the product.", "narrative": "This analytic story includes detections that focus on attacker behavior targeted at your Splunk environment directly.", "references": ["https://www.splunk.com/en_us/product-security/announcements.html"], "tags": {"name": "Splunk Vulnerabilities", "analytic_story": "Splunk Vulnerabilities", "category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Application Security", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1083", "mitre_attack_technique": "File and Directory Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT28", "APT3", "APT32", "APT38", "APT39", "APT41", "Aoqin Dragon", "BRONZE BUTLER", "Chimera", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN13", "Fox Kitten", "Gamaredon Group", "HAFNIUM", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leafminer", "LuminousMoth", "Magic Hound", "MuddyWater", "Mustang Panda", "Patchwork", "Sandworm Team", "Sidewinder", "Sowbug", "TeamTNT", "Tropic Trooper", "Turla", "Windigo", "Winnti Group", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1210", "mitre_attack_technique": "Exploitation of Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "Dragonfly", "Earth Lusca", "FIN7", "Fox Kitten", "MuddyWater", "Threat Group-3390", "Tonto Team", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}, {"mitre_attack_id": "T1567", "mitre_attack_technique": "Exfiltration Over Web Service", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT28", "Magic Hound"]}, {"mitre_attack_id": "T1587.003", "mitre_attack_technique": "Digital Certificates", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29", "PROMETHIUM"]}, {"mitre_attack_id": "T1498", "mitre_attack_technique": "Network Denial of Service", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1499.004", "mitre_attack_technique": "Application or System Exploitation", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1499", "mitre_attack_technique": "Endpoint Denial of Service", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Sandworm Team"]}, {"mitre_attack_id": "T1027.006", "mitre_attack_technique": "HTML Smuggling", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1212", "mitre_attack_technique": "Exploitation for Credential Access", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1001.003", "mitre_attack_technique": "Protocol Impersonation", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Higaisa", "Lazarus Group"]}, {"mitre_attack_id": "T1588.004", "mitre_attack_technique": "Digital Certificates", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["BlackTech", "Lazarus Group", "LuminousMoth", "Silent Librarian"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1202", "mitre_attack_technique": "Indirect Command Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1040", "mitre_attack_technique": "Network Sniffing", "mitre_attack_tactics": ["Credential Access", "Discovery"], "mitre_attack_groups": ["APT28", "APT33", "DarkVishnya", "Kimsuky", "Sandworm Team"]}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Defense Evasion", "Discovery", "Execution", "Exfiltration", "Impact", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation", "Resource Development"], "datamodels": ["Splunk_Audit", "Web"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery", "Exploitation", "Installation", "Weaponization"]}, "detection_names": ["ESCU - Detect Risky SPL using Pretrained ML Model - Rule", "ESCU - Path traversal SPL injection - Rule", "ESCU - Splunk Absolute Path Traversal Using runshellscript - Rule", "ESCU - Splunk Account Discovery Drilldown Dashboard Disclosure - Rule", "ESCU - Splunk App for Lookup File Editing RCE via User XSLT - Rule", "ESCU - Splunk Code Injection via custom dashboard leading to RCE - Rule", "ESCU - Splunk Command and Scripting Interpreter Delete Usage - Rule", "ESCU - Splunk Command and Scripting Interpreter Risky Commands - Rule", "ESCU - Splunk Command and Scripting Interpreter Risky SPL MLTK - Rule", "ESCU - Splunk csrf in the ssg kvstore client endpoint - Rule", "ESCU - Splunk Data exfiltration from Analytics Workspace using sid query - Rule", "ESCU - Splunk Digital Certificates Infrastructure Version - Rule", "ESCU - Splunk Digital Certificates Lack of Encryption - Rule", "ESCU - Splunk DoS Using Malformed SAML Request - Rule", "ESCU - Splunk DOS Via Dump SPL Command - Rule", "ESCU - Splunk DoS via Malformed S2S Request - Rule", "ESCU - Splunk DOS via printf search function - Rule", "ESCU - Splunk Edit User Privilege Escalation - Rule", "ESCU - Splunk Endpoint Denial of Service DoS Zip Bomb - Rule", "ESCU - Splunk ES DoS Investigations Manager via Investigation Creation - Rule", "ESCU - Splunk ES DoS Through Investigation Attachments - Rule", "ESCU - Splunk HTTP Response Splitting Via Rest SPL Command - Rule", "ESCU - Splunk Improperly Formatted Parameter Crashes splunkd - Rule", "ESCU - Splunk list all nonstandard admin accounts - Rule", "ESCU - Splunk Low Privilege User Can View Hashed Splunk Password - Rule", "ESCU - Splunk Path Traversal In Splunk App For Lookup File Edit - Rule", "ESCU - Persistent XSS in RapidDiag through User Interface Views - Rule", "ESCU - Splunk Persistent XSS Via URL Validation Bypass W Dashboard - Rule", "ESCU - Splunk Process Injection Forwarder Bundle Downloads - Rule", "ESCU - Splunk Protocol Impersonation Weak Encryption Configuration - Rule", "ESCU - Splunk protocol impersonation weak encryption selfsigned - Rule", "ESCU - Splunk protocol impersonation weak encryption simplerequest - Rule", "ESCU - Splunk RBAC Bypass On Indexing Preview REST Endpoint - Rule", "ESCU - Splunk RCE via Serialized Session Payload - Rule", "ESCU - Splunk RCE via Splunk Secure Gateway  Splunk Mobile alerts feature - Rule", "ESCU - Splunk RCE via User XSLT - Rule", "ESCU - Splunk Reflected XSS in the templates lists radio - Rule", "ESCU - Splunk Reflected XSS on App Search Table Endpoint - Rule", "ESCU - Splunk risky Command Abuse disclosed february 2023 - Rule", "ESCU - Splunk Stored XSS via Data Model objectName field - Rule", "ESCU - Splunk Unauthenticated Log Injection Web Service Log - Rule", "ESCU - Splunk unnecessary file extensions allowed by lookup table uploads - Rule", "ESCU - Splunk User Enumeration Attempt - Rule", "ESCU - Splunk XSS in Highlighted JSON Events - Rule", "ESCU - Splunk XSS in Monitoring Console - Rule", "ESCU - Splunk XSS in Save table dialog header in search page - Rule", "ESCU - Splunk XSS via View - Rule", "ESCU - Open Redirect in Splunk Web - Rule", "ESCU - Splunk Enterprise Information Disclosure - Rule", "ESCU - Splunk Identified SSL TLS Certificates - Rule"], "investigation_names": [], "baseline_names": ["ESCU - Splunk Command and Scripting Interpreter Risky SPL MLTK Baseline"], "author_company": "Splunk", "author_name": "Lou Stella", "detections": [{"name": "Detect Risky SPL using Pretrained ML Model", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Path traversal SPL injection", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Discovery"}]}}, {"name": "Splunk Absolute Path Traversal Using runshellscript", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Discovery"}]}}, {"name": "Splunk Account Discovery Drilldown Dashboard Disclosure", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Splunk App for Lookup File Editing RCE via User XSLT", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation of Remote Services"}]}}, {"name": "Splunk Code Injection via custom dashboard leading to RCE", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation of Remote Services"}]}}, {"name": "Splunk Command and Scripting Interpreter Delete Usage", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Splunk Command and Scripting Interpreter Risky Commands", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Splunk Command and Scripting Interpreter Risky SPL MLTK", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Splunk csrf in the ssg kvstore client endpoint", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}, {"name": "Splunk Data exfiltration from Analytics Workspace using sid query", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Web Service"}]}}, {"name": "Splunk Digital Certificates Infrastructure Version", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Digital Certificates"}]}}, {"name": "Splunk Digital Certificates Lack of Encryption", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Digital Certificates"}]}}, {"name": "Splunk DoS Using Malformed SAML Request", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Network Denial of Service"}]}}, {"name": "Splunk DOS Via Dump SPL Command", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Application or System Exploitation"}]}}, {"name": "Splunk DoS via Malformed S2S Request", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Network Denial of Service"}]}}, {"name": "Splunk DOS via printf search function", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Application or System Exploitation"}]}}, {"name": "Splunk Edit User Privilege Escalation", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Splunk Endpoint Denial of Service DoS Zip Bomb", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Endpoint Denial of Service"}]}}, {"name": "Splunk ES DoS Investigations Manager via Investigation Creation", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Endpoint Denial of Service"}]}}, {"name": "Splunk ES DoS Through Investigation Attachments", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Endpoint Denial of Service"}]}}, {"name": "Splunk HTTP Response Splitting Via Rest SPL Command", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "HTML Smuggling"}]}}, {"name": "Splunk Improperly Formatted Parameter Crashes splunkd", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Endpoint Denial of Service"}]}}, {"name": "Splunk list all nonstandard admin accounts", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}, {"name": "Splunk Low Privilege User Can View Hashed Splunk Password", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Credential Access"}]}}, {"name": "Splunk Path Traversal In Splunk App For Lookup File Edit", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Discovery"}]}}, {"name": "Persistent XSS in RapidDiag through User Interface Views", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}, {"name": "Splunk Persistent XSS Via URL Validation Bypass W Dashboard", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}, {"name": "Splunk Process Injection Forwarder Bundle Downloads", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Splunk Protocol Impersonation Weak Encryption Configuration", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Protocol Impersonation"}]}}, {"name": "Splunk protocol impersonation weak encryption selfsigned", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Digital Certificates"}]}}, {"name": "Splunk protocol impersonation weak encryption simplerequest", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Digital Certificates"}]}}, {"name": "Splunk RBAC Bypass On Indexing Preview REST Endpoint", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Access Token Manipulation"}]}}, {"name": "Splunk RCE via Serialized Session Payload", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}, {"name": "Splunk RCE via Splunk Secure Gateway  Splunk Mobile alerts feature", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation of Remote Services"}]}}, {"name": "Splunk RCE via User XSLT", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation of Remote Services"}]}}, {"name": "Splunk Reflected XSS in the templates lists radio", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}, {"name": "Splunk Reflected XSS on App Search Table Endpoint", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}, {"name": "Splunk risky Command Abuse disclosed february 2023", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}, {"mitre_attack_technique": "Indirect Command Execution"}]}}, {"name": "Splunk Stored XSS via Data Model objectName field", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}, {"name": "Splunk Unauthenticated Log Injection Web Service Log", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}, {"name": "Splunk unnecessary file extensions allowed by lookup table uploads", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}, {"name": "Splunk User Enumeration Attempt", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Splunk XSS in Highlighted JSON Events", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}, {"name": "Splunk XSS in Monitoring Console", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}, {"name": "Splunk XSS in Save table dialog header in search page", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}, {"name": "Splunk XSS via View", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}, {"name": "Open Redirect in Splunk Web", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "Splunk Enterprise Information Disclosure", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "Splunk Identified SSL TLS Certificates", "source": "network", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Network Sniffing"}]}}]}, {"name": "Spring4Shell CVE-2022-22965", "author": "Michael Haag, Splunk", "date": "2022-04-05", "version": 1, "id": "dcc19913-6918-4ed2-bbba-a6b484c10ef4", "description": "Spring4Shell is the nickname given to a zero-day vulnerability in the Spring Core Framework, a programming and configuration model for Java-based enterprise applications.", "narrative": "An attacker could exploit Spring4Shell by sending a specially crafted request to a vulnerable server. However, exploitation of Spring4Shell requires certain prerequisites, whereas the original Log4Shell vulnerability affected all versions of Log4j 2 using the default configuration. \\\nAccording to Spring, the following requirements were included in the vulnerability report, however the post cautions that there may be other ways in which this can be exploited so this may not be a complete list of requirements at this time: \\\n- Java Development Kit (JDK) 9 or greater \\\n- Apache Tomcat as the Servlet container \\\n- Packaged as a WAR \\\n- spring-webmvc or spring-webflux dependency \\\n", "references": ["https://www.tenable.com/blog/spring4shell-faq-spring-framework-remote-code-execution-vulnerability"], "tags": {"name": "Spring4Shell CVE-2022-22965", "analytic_story": "Spring4Shell CVE-2022-22965", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Application Security", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Initial Access", "Persistence"], "datamodels": ["Endpoint", "Web"], "kill_chain_phases": ["Delivery", "Installation"]}, "detection_names": ["ESCU - Java Writing JSP File - Rule", "ESCU - Linux Java Spawning Shell - Rule", "ESCU - Spring4Shell Payload URL Request - Rule", "ESCU - Web JSP Request via URL - Rule", "ESCU - Web Spring4Shell HTTP Request Class Module - Rule", "ESCU - Web Spring Cloud Function FunctionRouter - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Java Writing JSP File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Linux Java Spawning Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Spring4Shell Payload URL Request", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Web JSP Request via URL", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Web Spring4Shell HTTP Request Class Module", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Web Spring Cloud Function FunctionRouter", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}]}, {"name": "SQL Injection", "author": "Bhavin Patel, Splunk", "date": "2017-09-19", "version": 1, "id": "4f6632f5-449c-4686-80df-57625f59bab3", "description": "Use the searches in this Analytic Story to help you detect structured query language (SQL) injection attempts characterized by long URLs that contain malicious parameters.", "narrative": "It is very common for attackers to inject SQL parameters into vulnerable web applications, which then interpret the malicious SQL statements.\\\nThis Analytic Story contains a search designed to identify attempts by attackers to leverage this technique to compromise a host and gain a foothold in the target environment.", "references": ["https://capec.mitre.org/data/definitions/66.html", "https://www.incapsula.com/web-application-security/sql-injection.html"], "tags": {"name": "SQL Injection", "analytic_story": "SQL Injection", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - SQL Injection with Long URLs - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "SQL Injection with Long URLs", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}]}, {"name": "Subvert Trust Controls SIP and Trust Provider Hijacking", "author": "Michael Haag, Splunk", "date": "2023-10-10", "version": 1, "id": "7faf91b6-532a-4f18-807c-b2761e90b6dc", "description": "Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control tools when conducting signature validation checks. This technique involves modifying the Dll and FuncName Registry values that point to the dynamic link library (DLL) providing a SIP's function, which retrieves an encoded digital certificate from a signed file. By pointing to a maliciously-crafted DLL with an exported function that always returns a known good signature value, an adversary can apply an acceptable signature value to all files using that SIP. This can also enable persistent code execution, since these malicious components may be invoked by any application that performs code signing or signature validation.", "narrative": "In user mode, Windows Authenticode digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code. The signature validation process is handled via the WinVerifyTrust application programming interface (API) function, which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature. Because of the varying executable file types and corresponding signature formats, Microsoft created software components called Subject Interface Packages (SIPs) to provide a layer of abstraction between API functions and files. SIPs are responsible for enabling API functions to create, retrieve, calculate, and verify signatures. Unique SIPs exist for most file formats and are identified by globally unique identifiers (GUIDs). Adversaries may hijack SIP and trust provider components to mislead operating system and application control tools to classify malicious (or any) code as signed.", "references": ["https://attack.mitre.org/techniques/T1553/003/", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_sip_persistence.yml", "https://specterops.io/wp-content/uploads/sites/3/2022/06/SpecterOps_Subverting_Trust_in_Windows.pdf", "https://github.com/gtworek/PSBits/tree/master/SIP", "https://github.com/mattifestation/PoCSubjectInterfacePackage", "https://pentestlab.blog/2017/11/06/hijacking-digital-signatures/"], "tags": {"name": "Subvert Trust Controls SIP and Trust Provider Hijacking", "analytic_story": "Subvert Trust Controls SIP and Trust Provider Hijacking", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1553.003", "mitre_attack_technique": "SIP and Trust Provider Hijacking", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Windows Registry SIP Provider Modification - Rule", "ESCU - Windows SIP Provider Inventory - Rule", "ESCU - Windows SIP WinVerifyTrust Failed Trust Validation - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Registry SIP Provider Modification", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SIP and Trust Provider Hijacking"}]}}, {"name": "Windows SIP Provider Inventory", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SIP and Trust Provider Hijacking"}]}}, {"name": "Windows SIP WinVerifyTrust Failed Trust Validation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SIP and Trust Provider Hijacking"}]}}]}, {"name": "Suspicious AWS Login Activities", "author": "Bhavin Patel, Splunk", "date": "2019-05-01", "version": 1, "id": "2e8948a5-5239-406b-b56b-6c59f1268af3", "description": "Monitor your AWS authentication events using your CloudTrail logs. Searches within this Analytic Story will help you stay aware of and investigate suspicious logins. ", "narrative": "It is important to monitor and control who has access to your AWS infrastructure. Detecting suspicious logins to your AWS infrastructure will provide good starting points for investigations. Abusive behaviors caused by compromised credentials can lead to direct monetary costs, as you will be billed for any EC2 instances created by the attacker.", "references": ["https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html"], "tags": {"name": "Suspicious AWS Login Activities", "analytic_story": "Suspicious AWS Login Activities", "category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}], "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation", "Resource Development"], "datamodels": ["Authentication"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"]}, "detection_names": ["ESCU - AWS Successful Console Authentication From Multiple IPs - Rule", "ESCU - Detect AWS Console Login by User from New City - Rule", "ESCU - Detect AWS Console Login by User from New Country - Rule", "ESCU - Detect AWS Console Login by User from New Region - Rule", "ESCU - Detect new user AWS Console Login - Rule"], "investigation_names": ["ESCU - AWS Investigate User Activities By ARN - Response Task"], "baseline_names": ["ESCU - Previously seen users in CloudTrail", "ESCU - Update previously seen users in CloudTrail"], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "AWS Successful Console Authentication From Multiple IPs", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "Detect AWS Console Login by User from New City", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "Detect AWS Console Login by User from New Country", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "Detect AWS Console Login by User from New Region", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "Detect new user AWS Console Login", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}]}}]}, {"name": "Suspicious AWS S3 Activities", "author": "Bhavin Patel, Splunk", "date": "2023-04-24", "version": 3, "id": "66732346-8fb0-407b-9633-da16756567d6", "description": "Use the searches in this Analytic Story using Cloudtrail logs to to monitor your AWS S3 buckets for evidence of anomalous activity and suspicious behaviors, such as detecting open S3 buckets and buckets being accessed from a new IP, permission and policy updates to the bucket, potential misuse of other services leading to data being leaked.", "narrative": "One of the most common ways that attackers attempt to steal data from S3 is by gaining unauthorized access to S3 buckets and copying or exfiltrating data to external locations.\\\nHowever, suspicious S3 activities can refer to any unusual behavior detected within an Amazon Web Services (AWS) Simple Storage Service (S3) bucket, including unauthorized access, unusual data transfer patterns, and access attempts from unknown IP addresses. \\\nIt is important for organizations to regularly monitor S3 activities for suspicious behavior and implement security best practices, such as using access controls, encryption, and strong authentication mechanisms, to protect sensitive data stored within S3 buckets. By staying vigilant and taking proactive measures, organizations can help prevent potential security breaches and minimize the impact of attacks if they do occur.", "references": ["https://github.com/nagwww/s3-leaks", "https://www.tripwire.com/state-of-security/security-data-protection/cloud/public-aws-s3-buckets-writable/", null], "tags": {"name": "Suspicious AWS S3 Activities", "analytic_story": "Suspicious AWS S3 Activities", "category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1537", "mitre_attack_technique": "Transfer Data to Cloud Account", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1119", "mitre_attack_technique": "Automated Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "Chimera", "Confucius", "FIN5", "FIN6", "Gamaredon Group", "Ke3chang", "Mustang Panda", "OilRig", "Patchwork", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1530", "mitre_attack_technique": "Data from Cloud Storage", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Fox Kitten"]}], "mitre_attack_tactics": ["Collection", "Exfiltration", "Impact"], "datamodels": [], "kill_chain_phases": ["Actions on Objectives", "Exploitation"]}, "detection_names": ["ESCU - AWS Disable Bucket Versioning - Rule", "ESCU - AWS Exfiltration via Bucket Replication - Rule", "ESCU - AWS Exfiltration via DataSync Task - Rule", "ESCU - Detect New Open S3 buckets - Rule", "ESCU - Detect New Open S3 Buckets over AWS CLI - Rule", "ESCU - Detect S3 access from a new IP - Rule", "ESCU - Detect Spike in S3 Bucket deletion - Rule"], "investigation_names": ["ESCU - AWS Investigate User Activities By ARN - Response Task", "ESCU - AWS S3 Bucket details via bucketName - Response Task", "ESCU - Get All AWS Activity From IP Address - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Investigate AWS activities via region name - Response Task"], "baseline_names": ["ESCU - Baseline of S3 Bucket deletion activity by ARN", "ESCU - Previously seen S3 bucket access by remote IP"], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "AWS Disable Bucket Versioning", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "AWS Exfiltration via Bucket Replication", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}}, {"name": "AWS Exfiltration via DataSync Task", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Automated Collection"}]}}, {"name": "Detect New Open S3 buckets", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data from Cloud Storage"}]}}, {"name": "Detect New Open S3 Buckets over AWS CLI", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data from Cloud Storage"}]}}, {"name": "Detect S3 access from a new IP", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data from Cloud Storage"}]}}, {"name": "Detect Spike in S3 Bucket deletion", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data from Cloud Storage"}]}}]}, {"name": "Suspicious AWS Traffic", "author": "Bhavin Patel, Splunk", "date": "2018-05-07", "version": 1, "id": "2e8948a5-5239-406b-b56b-6c50f2168af3", "description": "Leverage these searches to monitor your AWS network traffic for evidence of anomalous activity and suspicious behaviors, such as a spike in blocked outbound traffic in your virtual private cloud (VPC).", "narrative": "A virtual private cloud (VPC) is an on-demand managed cloud-computing service that isolates computing resources for each client. Inside the VPC container, the environment resembles a physical network. \\\nAmazon's VPC service enables you to launch EC2 instances and leverage other Amazon resources. The traffic that flows in and out of this VPC can be controlled via network access-control rules and security groups. Amazon also has a feature called VPC Flow Logs that enables you to log IP traffic going to and from the network interfaces in your VPC. This data is stored using Amazon CloudWatch Logs.\\\n Attackers may abuse the AWS infrastructure with insecure VPCs so they can co-opt AWS resources for command-and-control nodes, data exfiltration, and more. Once an EC2 instance is compromised, an attacker may initiate outbound network connections for malicious reasons. Monitoring these network traffic behaviors is crucial for understanding the type of traffic flowing in and out of your network and to alert you to suspicious activities.\\\nThe searches in this Analytic Story will monitor your AWS network traffic for evidence of anomalous activity and suspicious behaviors.", "references": ["https://rhinosecuritylabs.com/aws/hiding-cloudcobalt-strike-beacon-c2-using-amazon-apis/"], "tags": {"name": "Suspicious AWS Traffic", "analytic_story": "Suspicious AWS Traffic", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Spike in blocked Outbound Traffic from your AWS - Rule"], "investigation_names": ["ESCU - AWS Investigate User Activities By ARN - Response Task", "ESCU - AWS Network ACL Details from ID - Response Task", "ESCU - AWS Network Interface details via resourceId - Response Task", "ESCU - Get All AWS Activity From IP Address - Response Task", "ESCU - Get DNS Server History for a host - Response Task", "ESCU - Get DNS traffic ratio - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Process Information For Port Activity - Response Task", "ESCU - Get Process Responsible For The DNS Traffic - Response Task"], "baseline_names": ["ESCU - Baseline of blocked outbound traffic from AWS"], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect Spike in blocked Outbound Traffic from your AWS", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "Suspicious Cloud Authentication Activities", "author": "Rico Valdez, Splunk", "date": "2020-06-04", "version": 1, "id": "6380ebbb-55c5-4fce-b754-01fd565fb73c", "description": "Monitor your cloud authentication events. Searches within this Analytic Story leverage the recent cloud updates to the Authentication data model to help you stay aware of and investigate suspicious login activity. ", "narrative": "It is important to monitor and control who has access to your cloud infrastructure. Detecting suspicious logins will provide good starting points for investigations. Abusive behaviors caused by compromised credentials can lead to direct monetary costs, as you will be billed for any compute activity whether legitimate or otherwise.\\\nThis Analytic Story has data model versions of cloud searches leveraging Authentication data, including those looking for suspicious login activity, and cross-account activity for AWS.", "references": ["https://aws.amazon.com/blogs/security/aws-cloudtrail-now-tracks-cross-account-activity-to-its-origin/", "https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html"], "tags": {"name": "Suspicious Cloud Authentication Activities", "analytic_story": "Suspicious Cloud Authentication Activities", "category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Resource Development"], "datamodels": ["Authentication"], "kill_chain_phases": ["Exploitation", "Weaponization"]}, "detection_names": ["ESCU - AWS Cross Account Activity From Previously Unseen Account - Rule", "ESCU - Detect AWS Console Login by New User - Rule", "ESCU - Detect AWS Console Login by User from New City - Rule", "ESCU - Detect AWS Console Login by User from New Country - Rule", "ESCU - Detect AWS Console Login by User from New Region - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Investigate AWS User Activities by user field - Response Task"], "baseline_names": ["ESCU - Previously Seen AWS Cross Account Activity - Initial", "ESCU - Previously Seen AWS Cross Account Activity - Update", "ESCU - Previously Seen Users in CloudTrail - Initial", "ESCU - Previously Seen Users In CloudTrail - Update"], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "AWS Cross Account Activity From Previously Unseen Account", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Detect AWS Console Login by New User", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unsecured Credentials"}]}}, {"name": "Detect AWS Console Login by User from New City", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "Detect AWS Console Login by User from New Country", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "Detect AWS Console Login by User from New Region", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}]}, {"name": "Suspicious Cloud Instance Activities", "author": "David Dorsey, Splunk", "date": "2020-08-25", "version": 1, "id": "8168ca88-392e-42f4-85a2-767579c660ce", "description": "Monitor your cloud infrastructure provisioning activities for behaviors originating from unfamiliar or unusual locations. These behaviors may indicate that malicious activities are occurring somewhere within your cloud environment.", "narrative": "Monitoring your cloud infrastructure logs allows you enable governance, compliance, and risk auditing. It is crucial for a company to monitor events and actions taken in the their cloud environments to ensure that your instances are not vulnerable to attacks. This Analytic Story identifies suspicious activities in your cloud compute instances and helps you respond and investigate those activities.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "tags": {"name": "Suspicious Cloud Instance Activities", "analytic_story": "Suspicious Cloud Instance Activities", "category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1537", "mitre_attack_technique": "Transfer Data to Cloud Account", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Defense Evasion", "Exfiltration", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Change", "Risk"], "kill_chain_phases": ["Actions on Objectives", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Abnormally High Number Of Cloud Instances Destroyed - Rule", "ESCU - Abnormally High Number Of Cloud Instances Launched - Rule", "ESCU - AWS AMI Atttribute Modification for Exfiltration - Rule", "ESCU - AWS EC2 Snapshot Shared Externally - Rule", "ESCU - AWS Exfiltration via EC2 Snapshot - Rule", "ESCU - AWS S3 Exfiltration Behavior Identified - Rule", "ESCU - Cloud Instance Modified By Previously Unseen User - Rule"], "investigation_names": ["ESCU - AWS Investigate User Activities By ARN - Response Task", "ESCU - Get All AWS Activity From IP Address - Response Task"], "baseline_names": ["ESCU - Baseline Of Cloud Instances Destroyed", "ESCU - Baseline Of Cloud Instances Launched", "ESCU - Previously Seen Cloud Instance Modifications By User - Initial", "ESCU - Previously Seen Cloud Instance Modifications By User - Update"], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Abnormally High Number Of Cloud Instances Destroyed", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Abnormally High Number Of Cloud Instances Launched", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "AWS AMI Atttribute Modification for Exfiltration", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}}, {"name": "AWS EC2 Snapshot Shared Externally", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}}, {"name": "AWS Exfiltration via EC2 Snapshot", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}}, {"name": "AWS S3 Exfiltration Behavior Identified", "source": "cloud", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}}, {"name": "Cloud Instance Modified By Previously Unseen User", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}}]}, {"name": "Suspicious Cloud Provisioning Activities", "author": "David Dorsey, Splunk", "date": "2018-08-20", "version": 1, "id": "51045ded-1575-4ba6-aef7-af6c73cffd86", "description": "Monitor your cloud infrastructure provisioning activities for behaviors originating from unfamiliar or unusual locations. These behaviors may indicate that malicious activities are occurring somewhere within your cloud environment.", "narrative": "Because most enterprise cloud infrastructure activities originate from familiar geographic locations, monitoring for activity from unknown or unusual regions is an important security measure. This indicator can be especially useful in environments where it is impossible to add specific IPs to an allow list because they vary.\\\nThis Analytic Story was designed to provide you with flexibility in the precision you employ in specifying legitimate geographic regions. It can be as specific as an IP address or a city, or as broad as a region (think state) or an entire country. By determining how precise you want your geographical locations to be and monitoring for new locations that haven't previously accessed your environment, you can detect adversaries as they begin to probe your environment. Since there are legitimate reasons for activities from unfamiliar locations, this is not a standalone indicator. Nevertheless, location can be a relevant piece of information that you may wish to investigate further.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "tags": {"name": "Suspicious Cloud Provisioning Activities", "analytic_story": "Suspicious Cloud Provisioning Activities", "category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Change"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Cloud Provisioning Activity From Previously Unseen City - Rule", "ESCU - Cloud Provisioning Activity From Previously Unseen Country - Rule", "ESCU - Cloud Provisioning Activity From Previously Unseen IP Address - Rule", "ESCU - Cloud Provisioning Activity From Previously Unseen Region - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": ["ESCU - Previously Seen Cloud Provisioning Activity Sources - Initial", "ESCU - Previously Seen Cloud Provisioning Activity Sources - Update"], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Cloud Provisioning Activity From Previously Unseen City", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Cloud Provisioning Activity From Previously Unseen Country", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Cloud Provisioning Activity From Previously Unseen IP Address", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Cloud Provisioning Activity From Previously Unseen Region", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}]}, {"name": "Suspicious Cloud User Activities", "author": "David Dorsey, Splunk", "date": "2020-09-04", "version": 1, "id": "1ed5ce7d-5469-4232-92af-89d1a3595b39", "description": "Detect and investigate suspicious activities by users and roles in your cloud environments.", "narrative": "It seems obvious that it is critical to monitor and control the users who have access to your cloud infrastructure. Nevertheless, it's all too common for enterprises to lose track of ad-hoc accounts, leaving their servers vulnerable to attack. In fact, this was the very oversight that led to Tesla's cryptojacking attack in February, 2018.\\\nIn addition to compromising the security of your data, when bad actors leverage your compute resources, it can incur monumental costs, since you will be billed for any new instances and increased bandwidth usage.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf", "https://redlock.io/blog/cryptojacking-tesla"], "tags": {"name": "Suspicious Cloud User Activities", "analytic_story": "Suspicious Cloud User Activities", "category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1580", "mitre_attack_technique": "Cloud Infrastructure Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}], "mitre_attack_tactics": ["Defense Evasion", "Discovery", "Execution", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Change"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Abnormally High Number Of Cloud Infrastructure API Calls - Rule", "ESCU - Abnormally High Number Of Cloud Security Group API Calls - Rule", "ESCU - AWS IAM AccessDenied Discovery Events - Rule", "ESCU - AWS Lambda UpdateFunctionCode - Rule", "ESCU - Cloud API Calls From Previously Unseen User Roles - Rule"], "investigation_names": ["ESCU - AWS Investigate User Activities By ARN - Response Task"], "baseline_names": ["ESCU - Baseline Of Cloud Infrastructure API Calls Per User", "ESCU - Baseline Of Cloud Security Group API Calls Per User", "ESCU - Previously Seen Cloud API Calls Per User Role - Initial", "ESCU - Previously Seen Cloud API Calls Per User Role - Update"], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Abnormally High Number Of Cloud Infrastructure API Calls", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Abnormally High Number Of Cloud Security Group API Calls", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "AWS IAM AccessDenied Discovery Events", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Infrastructure Discovery"}]}}, {"name": "AWS Lambda UpdateFunctionCode", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "User Execution"}]}}, {"name": "Cloud API Calls From Previously Unseen User Roles", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}]}, {"name": "Suspicious Command-Line Executions", "author": "Bhavin Patel, Splunk", "date": "2020-02-03", "version": 2, "id": "f4368ddf-d59f-4192-84f6-778ac5a3ffc7", "description": "Leveraging the Windows command-line interface (CLI) is one of the most common attack techniques--one that is also detailed in the MITRE ATT&CK framework. Use this Analytic Story to help you identify unusual or suspicious use of the CLI on Windows systems.", "narrative": "The ability to execute arbitrary commands via the Windows CLI is a primary goal for the adversary. With access to the shell, an attacker can easily run scripts and interact with the target system. Often, attackers may only have limited access to the shell or may obtain access in unusual ways. In addition, malware may execute and interact with the CLI in ways that would be considered unusual and inconsistent with typical user activity. This provides defenders with opportunities to identify suspicious use and investigate, as appropriate. This Analytic Story contains various searches to help identify this suspicious activity, as well as others to aid you in deeper investigation.", "references": ["https://attack.mitre.org/wiki/Technique/T1059", "https://www.microsoft.com/en-us/wdsi/threats/macro-malware", "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"], "tags": {"name": "Suspicious Command-Line Executions", "analytic_story": "Suspicious Command-Line Executions", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - First time seen command line argument - Rule", "ESCU - Detect Prohibited Applications Spawning cmd exe - Rule", "ESCU - Detect suspicious processnames using pretrained model in DSDL - Rule", "ESCU - Detect Use of cmd exe to Launch Script Interpreters - Rule", "ESCU - Potentially malicious code on commandline - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - Unusually Long Command Line - Rule", "ESCU - Unusually Long Command Line - MLTK - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": ["ESCU - Baseline of Command Line Length - MLTK", "ESCU - Previously seen command line arguments"], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "First time seen command line argument", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Windows Command Shell"}]}}, {"name": "Detect Prohibited Applications Spawning cmd exe", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}]}}, {"name": "Detect suspicious processnames using pretrained model in DSDL", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Detect Use of cmd exe to Launch Script Interpreters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}]}}, {"name": "Potentially malicious code on commandline", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}]}}, {"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Unusually Long Command Line", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Unusually Long Command Line - MLTK", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "Suspicious Compiled HTML Activity", "author": "Michael Haag, Splunk", "date": "2021-02-11", "version": 1, "id": "a09db4d1-3827-4833-87b8-3a397e532119", "description": "Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code.", "narrative": "Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. CHM content is displayed using underlying components of the Internet Explorer browser loaded by the HTML Help executable program (hh.exe). \\\nHH.exe relies upon hhctrl.ocx to load CHM topics.This will load upon execution of a chm file. \\\nDuring investigation, review all parallel processes and child processes. It is possible for file modification events to occur and it is best to capture the CHM file and decompile it for further analysis. \\\nUpon usage of InfoTech Storage Handlers, ms-its, its, mk, itss.dll will load.", "references": ["https://redcanary.com/blog/introducing-atomictestharnesses/", "https://attack.mitre.org/techniques/T1218/001/", "https://docs.microsoft.com/en-us/windows/win32/api/htmlhelp/nf-htmlhelp-htmlhelpa"], "tags": {"name": "Suspicious Compiled HTML Activity", "analytic_story": "Suspicious Compiled HTML Activity", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.001", "mitre_attack_technique": "Compiled HTML File", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "APT41", "Dark Caracal", "OilRig", "Silence"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Detect HTML Help Renamed - Rule", "ESCU - Detect HTML Help Spawn Child Process - Rule", "ESCU - Detect HTML Help URL in Command Line - Rule", "ESCU - Detect HTML Help Using InfoTech Storage Handlers - Rule", "ESCU - Windows System Binary Proxy Execution Compiled HTML File Decompile - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect HTML Help Renamed", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}}, {"name": "Detect HTML Help Spawn Child Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}}, {"name": "Detect HTML Help URL in Command Line", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}}, {"name": "Detect HTML Help Using InfoTech Storage Handlers", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}}, {"name": "Windows System Binary Proxy Execution Compiled HTML File Decompile", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compiled HTML File"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}]}, {"name": "Suspicious DNS Traffic", "author": "Rico Valdez, Splunk", "date": "2017-09-18", "version": 1, "id": "3c3835c0-255d-4f9e-ab84-e29ec9ec9b56", "description": "Attackers often attempt to hide within or otherwise abuse the domain name system (DNS). You can thwart attempts to manipulate this omnipresent protocol by monitoring for these types of abuses.", "narrative": "Although DNS is one of the fundamental underlying protocols that make the Internet work, it is often ignored (perhaps because of its complexity and effectiveness).  However, attackers have discovered ways to abuse the protocol to meet their objectives. One potential abuse involves manipulating DNS to hijack traffic and redirect it to an IP address under the attacker's control. This could inadvertently send users intending to visit google.com, for example, to an unrelated malicious website. Another technique involves using the DNS protocol for command-and-control activities with the attacker's malicious code or to covertly exfiltrate data. The searches within this Analytic Story look for these types of abuses.", "references": ["http://blogs.splunk.com/2015/10/01/random-words-on-entropy-and-dns/", "http://www.darkreading.com/analytics/security-monitoring/got-malware-three-signs-revealed-in-dns-traffic/d/d-id/1139680", "https://live.paloaltonetworks.com/t5/Threat-Vulnerability-Articles/What-are-suspicious-DNS-queries/ta-p/71454"], "tags": {"name": "Suspicious DNS Traffic", "analytic_story": "Suspicious DNS Traffic", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1071.004", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT39", "APT41", "Chimera", "Cobalt Group", "FIN7", "Ke3chang", "LazyScripter", "OilRig", "Tropic Trooper"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1568.002", "mitre_attack_technique": "Domain Generation Algorithms", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "TA551"]}, {"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Magic Hound", "Rocke", "TeamTNT"]}], "mitre_attack_tactics": ["Command And Control", "Exfiltration", "Initial Access"], "datamodels": ["Endpoint", "Network_Resolution"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery"]}, "detection_names": ["ESCU - Clients Connecting to Multiple DNS Servers - Rule", "ESCU - Detect Long DNS TXT Record Response - Rule", "ESCU - Detection of DNS Tunnels - Rule", "ESCU - DNS Query Requests Resolved by Unauthorized DNS Servers - Rule", "ESCU - DNS Exfiltration Using Nslookup App - Rule", "ESCU - Excessive Usage of NSLOOKUP App - Rule", "ESCU - Detect DGA domains using pretrained model in DSDL - Rule", "ESCU - Detect DNS Data Exfiltration using pretrained model in DSDL - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule", "ESCU - Detect suspicious DNS TXT records using pretrained model in DSDL - Rule", "ESCU - DNS Query Length Outliers - MLTK - Rule", "ESCU - DNS Query Length With High Standard Deviation - Rule", "ESCU - Excessive DNS Failures - Rule"], "investigation_names": ["ESCU - Get DNS Server History for a host - Response Task", "ESCU - Get DNS traffic ratio - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Process Responsible For The DNS Traffic - Response Task"], "baseline_names": ["ESCU - Baseline of DNS Query Length - MLTK"], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Clients Connecting to Multiple DNS Servers", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}}, {"name": "Detect Long DNS TXT Record Response", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}}, {"name": "Detection of DNS Tunnels", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}}, {"name": "DNS Query Requests Resolved by Unauthorized DNS Servers", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DNS"}]}}, {"name": "DNS Exfiltration Using Nslookup App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Excessive Usage of NSLOOKUP App", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Detect DGA domains using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Generation Algorithms"}]}}, {"name": "Detect DNS Data Exfiltration using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}}, {"name": "Detect hosts connecting to dynamic domain providers", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}, {"name": "Detect suspicious DNS TXT records using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Generation Algorithms"}]}}, {"name": "DNS Query Length Outliers - MLTK", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DNS"}, {"mitre_attack_technique": "Application Layer Protocol"}]}}, {"name": "DNS Query Length With High Standard Deviation", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Excessive DNS Failures", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DNS"}, {"mitre_attack_technique": "Application Layer Protocol"}]}}]}, {"name": "Suspicious Emails", "author": "Bhavin Patel, Splunk", "date": "2020-01-27", "version": 1, "id": "2b1800dd-92f9-47ec-a981-fdf1351e5d55", "description": "Email remains one of the primary means for attackers to gain an initial foothold within the modern enterprise. Detect and investigate suspicious emails in your environment with the help of the searches in this Analytic Story.", "narrative": "It is a common practice for attackers of all types to leverage targeted spearphishing campaigns and mass mailers to deliver weaponized email messages and attachments. Fortunately, there are a number of ways to monitor email data in Splunk to detect suspicious content.\\\nOnce a phishing message has been detected, the next steps are to answer the following questions: \\\n1. Which users have received this or a similar message in the past?\\\n1. When did the targeted campaign begin?\\\n1. Have any users interacted with the content of the messages (by downloading an attachment or clicking on a malicious URL)?This Analytic Story provides detection searches to identify suspicious emails, as well as contextual and investigative searches to help answer some of these questions.", "references": ["https://www.splunk.com/blog/2015/06/26/phishing-hits-a-new-level-of-quality/"], "tags": {"name": "Suspicious Emails", "analytic_story": "Suspicious Emails", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Email", "UEBA"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - Email Attachments With Lots Of Spaces - Rule", "ESCU - Monitor Email For Brand Abuse - Rule", "ESCU - Suspicious Email Attachment Extensions - Rule", "ESCU - Suspicious Email - UBA Anomaly - Rule"], "investigation_names": ["ESCU - Get Email Info - Response Task", "ESCU - Get Emails From Specific Sender - Response Task", "ESCU - Get Notable History - Response Task"], "baseline_names": ["ESCU - DNSTwist Domain Names"], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Email Attachments With Lots Of Spaces", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Monitor Email For Brand Abuse", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "Suspicious Email Attachment Extensions", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Suspicious Email - UBA Anomaly", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}]}}]}, {"name": "Suspicious GCP Storage Activities", "author": "Shannon Davis, Splunk", "date": "2020-08-05", "version": 1, "id": "4d656b2e-d6be-11ea-87d0-0242ac130003", "description": "Use the searches in this Analytic Story to monitor your GCP Storage buckets for evidence of anomalous activity and suspicious behaviors, such as detecting open storage buckets and buckets being accessed from a new IP. The contextual and investigative searches will give you more information, when required.", "narrative": "Similar to other cloud providers, GCP operates on a shared responsibility model. This means the end user, you, are responsible for setting appropriate access control lists and permissions on your GCP resources.\\ This Analytics Story concentrates on detecting things like open storage buckets (both read and write) along with storage bucket access from unfamiliar users and IP addresses.", "references": ["https://cloud.google.com/blog/products/gcp/4-steps-for-hardening-your-cloud-storage-buckets-taking-charge-of-your-security", "https://rhinosecuritylabs.com/gcp/google-cloud-platform-gcp-bucket-enumeration/"], "tags": {"name": "Suspicious GCP Storage Activities", "analytic_story": "Suspicious GCP Storage Activities", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1530", "mitre_attack_technique": "Data from Cloud Storage", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Fox Kitten"]}], "mitre_attack_tactics": ["Collection"], "datamodels": ["Email"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Detect GCP Storage access from a new IP - Rule", "ESCU - Detect New Open GCP Storage Buckets - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Shannon Davis", "detections": [{"name": "Detect GCP Storage access from a new IP", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data from Cloud Storage"}]}}, {"name": "Detect New Open GCP Storage Buckets", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data from Cloud Storage"}]}}]}, {"name": "Suspicious MSHTA Activity", "author": "Bhavin Patel, Michael Haag, Splunk", "date": "2021-01-20", "version": 2, "id": "1e5a5a53-540b-462a-8fb7-f44a4292f5dc", "description": "Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code.", "narrative": "One common adversary tactic is to bypass application control solutions via the mshta.exe process, which loads Microsoft HTML applications (mshtml.dll) with the .hta suffix. In these cases, attackers use the trusted Windows utility to proxy execution of malicious files, whether an .hta application, javascript, or VBScript.\\\nThe searches in this story help you detect and investigate suspicious activity that may indicate that an attacker is leveraging mshta.exe to execute malicious code.\\\nTriage\\\nValidate execution \\\n1. Determine if MSHTA.exe executed. Validate the OriginalFileName of MSHTA.exe and further PE metadata. If executed outside of c:\\windows\\system32 or c:\\windows\\syswow64, it should be highly suspect.\\\n1. Determine if script code was executed with MSHTA.\\\nSituational Awareness\\\nThe objective of this step is meant to identify suspicious behavioral indicators related to executed of Script code by MSHTA.exe.\\\n1. Parent process. Is the parent process a known LOLBin? Is the parent process an Office Application?\\\n1. Module loads. Are the known MSHTA.exe modules being loaded by a non-standard application? Is MSHTA loading any suspicious .DLLs?\\\n1. Network connections. Any network connections? Review the reputation of the remote IP or domain.\\\nRetrieval of script code\\\nThe objective of this step is to confirm the executed script code is benign or malicious.", "references": ["https://redcanary.com/blog/introducing-atomictestharnesses/", "https://redcanary.com/blog/windows-registry-attacks-threat-detection/", "https://attack.mitre.org/techniques/T1218/005/", "https://medium.com/@mbromileyDFIR/malware-monday-aebb456356c5"], "tags": {"name": "Suspicious MSHTA Activity", "analytic_story": "Suspicious MSHTA Activity", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA2541", "TA551"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Detect mshta inline hta execution - Rule", "ESCU - Detect mshta renamed - Rule", "ESCU - Detect MSHTA Url in Command Line - Rule", "ESCU - Detect Prohibited Applications Spawning cmd exe - Rule", "ESCU - Detect Rundll32 Inline HTA Execution - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Suspicious mshta child process - Rule", "ESCU - Suspicious mshta spawn - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": ["ESCU - Baseline of Command Line Length - MLTK", "ESCU - Previously seen command line arguments"], "author_company": "Michael Haag, Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect mshta inline hta execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}, {"name": "Detect mshta renamed", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}, {"name": "Detect MSHTA Url in Command Line", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}, {"name": "Detect Prohibited Applications Spawning cmd exe", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}]}}, {"name": "Detect Rundll32 Inline HTA Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Suspicious mshta child process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}, {"name": "Suspicious mshta spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}]}, {"name": "Suspicious Okta Activity", "author": "Rico Valdez, Splunk", "date": "2020-04-02", "version": 1, "id": "9cbd34af-8f39-4476-a423-bacd126c750b", "description": "Monitor your Okta environment for suspicious activities. Due to the Covid outbreak, many users are migrating over to leverage cloud services more and more. Okta is a popular tool to manage multiple users and the web-based applications they need to stay productive. The searches in this story will help monitor your Okta environment for suspicious activities and associated user behaviors.", "narrative": "Okta is the leading single sign on (SSO) provider, allowing users to authenticate once to Okta, and from there access a variety of web-based applications. These applications are assigned to users and allow administrators to centrally manage which users are allowed to access which applications. It also provides centralized logging to help understand how the applications are used and by whom. \\\nWhile SSO is a major convenience for users, it also provides attackers with an opportunity. If the attacker can gain access to Okta, they can access a variety of applications. As such monitoring the environment is important. \\\nWith people moving quickly to adopt web-based applications and ways to manage them, many are still struggling to understand how best to monitor these environments. This analytic story provides searches to help monitor this environment, and identify events and activity that warrant further investigation such as credential stuffing or password spraying attacks, and users logging in from multiple locations when travel is disallowed.", "references": ["https://attack.mitre.org/wiki/Technique/T1078", "https://owasp.org/www-community/attacks/Credential_stuffing", "https://searchsecurity.techtarget.com/answer/What-is-a-password-spraying-attack-and-how-does-it-work"], "tags": {"name": "Suspicious Okta Activity", "analytic_story": "Suspicious Okta Activity", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.001", "mitre_attack_technique": "Default Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["FIN13", "Magic Hound"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1550.004", "mitre_attack_technique": "Web Session Cookie", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1538", "mitre_attack_technique": "Cloud Service Dashboard", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1539", "mitre_attack_technique": "Steal Web Session Cookie", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Evilnum", "LuminousMoth"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Discovery", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Authentication", "Risk"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Multiple Okta Users With Invalid Credentials From The Same IP - Rule", "ESCU - Okta Account Locked Out - Rule", "ESCU - Okta Account Lockout Events - Rule", "ESCU - Okta Failed SSO Attempts - Rule", "ESCU - Okta MFA Exhaustion Hunt - Rule", "ESCU - Okta Mismatch Between Source and Response for Verify Push Request - Rule", "ESCU - Okta Multiple Failed Requests to Access Applications - Rule", "ESCU - Okta New API Token Created - Rule", "ESCU - Okta New Device Enrolled on Account - Rule", "ESCU - Okta Phishing Detection with FastPass Origin Check - Rule", "ESCU - Okta Risk Threshold Exceeded - Rule", "ESCU - Okta Suspicious Activity Reported - Rule", "ESCU - Okta Suspicious Use of a Session Cookie - Rule", "ESCU - Okta ThreatInsight Login Failure with High Unknown users - Rule", "ESCU - Okta ThreatInsight Suspected PasswordSpray Attack - Rule", "ESCU - Okta ThreatInsight Threat Detected - Rule", "ESCU - Okta Two or More Rejected Okta Pushes - Rule", "ESCU - Okta User Logins From Multiple Cities - Rule"], "investigation_names": ["ESCU - Investigate Okta Activity by app - Response Task", "ESCU - Investigate Okta Activity by IP Address - Response Task", "ESCU - Investigate User Activities In Okta - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Multiple Okta Users With Invalid Credentials From The Same IP", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}]}}, {"name": "Okta Account Locked Out", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}]}}, {"name": "Okta Account Lockout Events", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}]}}, {"name": "Okta Failed SSO Attempts", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}]}}, {"name": "Okta MFA Exhaustion Hunt", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}]}}, {"name": "Okta Mismatch Between Source and Response for Verify Push Request", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}}, {"name": "Okta Multiple Failed Requests to Access Applications", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Web Session Cookie"}, {"mitre_attack_technique": "Cloud Service Dashboard"}]}}, {"name": "Okta New API Token Created", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}]}}, {"name": "Okta New Device Enrolled on Account", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}]}}, {"name": "Okta Phishing Detection with FastPass Origin Check", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}, {"mitre_attack_technique": "Modify Authentication Process"}]}}, {"name": "Okta Risk Threshold Exceeded", "source": "application", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Okta Suspicious Activity Reported", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}]}}, {"name": "Okta Suspicious Use of a Session Cookie", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal Web Session Cookie"}]}}, {"name": "Okta ThreatInsight Login Failure with High Unknown users", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}, {"mitre_attack_technique": "Credential Stuffing"}]}}, {"name": "Okta ThreatInsight Suspected PasswordSpray Attack", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}, {"mitre_attack_technique": "Password Spraying"}]}}, {"name": "Okta ThreatInsight Threat Detected", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}]}}, {"name": "Okta Two or More Rejected Okta Pushes", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}]}}, {"name": "Okta User Logins From Multiple Cities", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}]}}]}, {"name": "Suspicious Regsvcs Regasm Activity", "author": "Michael Haag, Splunk", "date": "2021-02-11", "version": 1, "id": "2cdf33a0-4805-4b61-b025-59c20f418fbe", "description": "Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code.", "narrative": " Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies. Both are digitally signed by Microsoft. The following queries assist with detecting suspicious and malicious usage of Regasm.exe and Regsvcs.exe. Upon reviewing usage of Regasm.exe Regsvcs.exe, review file modification events for possible script code written. Review parallel process events for csc.exe being utilized to compile script code.", "references": ["https://attack.mitre.org/techniques/T1218/009/", "https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/evasion/windows/applocker_evasion_regasm_regsvcs.md", "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/"], "tags": {"name": "Suspicious Regsvcs Regasm Activity", "analytic_story": "Suspicious Regsvcs Regasm Activity", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.009", "mitre_attack_technique": "Regsvcs/Regasm", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Detect Regasm Spawning a Process - Rule", "ESCU - Detect Regasm with Network Connection - Rule", "ESCU - Detect Regasm with no Command Line Arguments - Rule", "ESCU - Detect Regsvcs Spawning a Process - Rule", "ESCU - Detect Regsvcs with Network Connection - Rule", "ESCU - Detect Regsvcs with No Command Line Arguments - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Regasm Spawning a Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}}, {"name": "Detect Regasm with Network Connection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}}, {"name": "Detect Regasm with no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}}, {"name": "Detect Regsvcs Spawning a Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}}, {"name": "Detect Regsvcs with Network Connection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}}, {"name": "Detect Regsvcs with No Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}}]}, {"name": "Suspicious Regsvr32 Activity", "author": "Michael Haag, Splunk", "date": "2021-01-29", "version": 1, "id": "b8bee41e-624f-11eb-ae93-0242ac130002", "description": "Monitor and detect techniques used by attackers who leverage the regsvr32.exe process to execute malicious code.", "narrative": "One common adversary tactic is to bypass application control solutions via the regsvr32.exe process. This particular bypass was popularized with \"SquiblyDoo\" using the \"scrobj.dll\" dll to load .sct scriptlets. This technique is still widely used by adversaries to bypass detection and prevention controls. The file extension of the DLL is irrelevant (it may load a .txt file extension for example). The searches in this story help you detect and investigate suspicious activity that may indicate that an adversary is leveraging regsvr32.exe to execute malicious code. Validate execution Determine if regsvr32.exe executed. Validate the OriginalFileName of regsvr32.exe and further PE metadata. If executed outside of c:\\windows\\system32 or c:\\windows\\syswow64, it should be highly suspect. Determine if script code was executed with regsvr32. Situational Awareness - The objective of this step is meant to identify suspicious behavioral indicators related to executed of Script code by regsvr32.exe. Parent process. Is the parent process a known LOLBin? Is the parent process an Office Application? Module loads.  Is regsvr32 loading any suspicious .DLLs? Unsigned or signed from non-standard paths. Network connections. Any network connections? Review the reputation of the remote IP or domain. Retrieval of Script Code - confirm the executed script code is benign or malicious.", "references": ["https://attack.mitre.org/techniques/T1218/010/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md", "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/"], "tags": {"name": "Suspicious Regsvr32 Activity", "analytic_story": "Suspicious Regsvr32 Activity", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Detect Regsvr32 Application Control Bypass - Rule", "ESCU - Malicious InProcServer32 Modification - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Suspicious Regsvr32 Register Suspicious Path - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Regsvr32 Application Control Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Malicious InProcServer32 Modification", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Regsvr32"}, {"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Suspicious Regsvr32 Register Suspicious Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}]}, {"name": "Suspicious Rundll32 Activity", "author": "Michael Haag, Splunk", "date": "2021-02-03", "version": 1, "id": "80a65487-854b-42f1-80a1-935e4c170694", "description": "Monitor and detect techniques used by attackers who leverage rundll32.exe to execute arbitrary malicious code.", "narrative": "One common adversary tactic is to bypass application control solutions via the rundll32.exe process. Natively, rundll32.exe will load DLLs and is a great example of a Living off the Land Binary. Rundll32.exe may load malicious DLLs by ordinals, function names or directly. The queries in this story focus on loading default DLLs, syssetup.dll, ieadvpack.dll, advpack.dll and setupapi.dll from disk that may be abused by adversaries. Additionally, two analytics developed to assist with identifying DLLRegisterServer, Start and StartW functions being called. The searches in this story help you detect and investigate suspicious activity that may indicate that an adversary is leveraging rundll32.exe to execute malicious code.", "references": ["https://attack.mitre.org/techniques/T1218/011/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md", "https://lolbas-project.github.io/lolbas/Binaries/Rundll32"], "tags": {"name": "Suspicious Rundll32 Activity", "analytic_story": "Suspicious Rundll32 Activity", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Suspicious Rundll32 Rename - Rule", "ESCU - Detect Rundll32 Application Control Bypass - advpack - Rule", "ESCU - Detect Rundll32 Application Control Bypass - setupapi - Rule", "ESCU - Detect Rundll32 Application Control Bypass - syssetup - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Rundll32 Control RunDLL Hunt - Rule", "ESCU - Rundll32 Control RunDLL World Writable Directory - Rule", "ESCU - Rundll32 with no Command Line Arguments with Network - Rule", "ESCU - RunDLL Loading DLL By Ordinal - Rule", "ESCU - Suspicious Rundll32 dllregisterserver - Rule", "ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", "ESCU - Suspicious Rundll32 StartW - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Suspicious Rundll32 Rename", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rundll32"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Detect Rundll32 Application Control Bypass - advpack", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Detect Rundll32 Application Control Bypass - setupapi", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Detect Rundll32 Application Control Bypass - syssetup", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Rundll32 Control RunDLL Hunt", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Rundll32 Control RunDLL World Writable Directory", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Rundll32 with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "RunDLL Loading DLL By Ordinal", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Suspicious Rundll32 dllregisterserver", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Suspicious Rundll32 no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Suspicious Rundll32 StartW", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}]}, {"name": "Suspicious Windows Registry Activities", "author": "Bhavin Patel, Splunk", "date": "2018-05-31", "version": 1, "id": "2b1800dd-92f9-47dd-a981-fdf1351e5d55", "description": "Monitor and detect registry changes initiated from remote locations, which can be a sign that an attacker has infiltrated your system.", "narrative": "Attackers are developing increasingly sophisticated techniques for hijacking target servers, while evading detection. One such technique that has become progressively more common is registry modification.\\\n The registry is a key component of the Windows operating system. It has a hierarchical database called \"registry\" that contains settings, options, and values for executables. Once the threat actor gains access to a machine, they can use reg.exe to modify their account to obtain administrator-level privileges, maintain persistence, and move laterally within the environment.\\\n The searches in this story are designed to help you detect behaviors associated with manipulation of the Windows registry.", "references": ["https://redcanary.com/blog/windows-registry-attacks-threat-detection/", "https://attack.mitre.org/wiki/Technique/T1112"], "tags": {"name": "Suspicious Windows Registry Activities", "analytic_story": "Suspicious Windows Registry Activities", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1564.001", "mitre_attack_technique": "Hidden Files and Directories", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "FIN13", "HAFNIUM", "Lazarus Group", "LuminousMoth", "Mustang Panda", "Rocke", "Transparent Tribe", "Tropic Trooper"]}, {"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1547.010", "mitre_attack_technique": "Port Monitors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1546.011", "mitre_attack_technique": "Application Shimming", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["FIN7"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1546.012", "mitre_attack_technique": "Image File Execution Options Injection", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["TEMP.Veles"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA2541", "TA551"]}, {"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Reg exe used to hide files directories via registry keys - Rule", "ESCU - Remote Registry Key modifications - Rule", "ESCU - Suspicious Changes to File Associations - Rule", "ESCU - Disable UAC Remote Restriction - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Monitor Registry Keys for Print Monitors - Rule", "ESCU - Registry Keys for Creating SHIM Databases - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule", "ESCU - Windows Mshta Execution In Registry - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Reg exe used to hide files directories via registry keys", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hidden Files and Directories"}]}}, {"name": "Remote Registry Key modifications", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "Suspicious Changes to File Associations", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Change Default File Association"}]}}, {"name": "Disable UAC Remote Restriction", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Disabling Remote User Account Control", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Monitor Registry Keys for Print Monitors", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Port Monitors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Registry Keys for Creating SHIM Databases", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Application Shimming"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Registry Keys Used For Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Image File Execution Options Injection"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Windows Mshta Execution In Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Mshta"}]}}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}]}}]}, {"name": "Suspicious WMI Use", "author": "Rico Valdez, Splunk", "date": "2018-10-23", "version": 2, "id": "c8ddc5be-69bc-4202-b3ab-4010b27d7ad5", "description": "Attackers are increasingly abusing Windows Management Instrumentation (WMI), a framework and associated utilities available on all modern Windows operating systems. Because WMI can be leveraged to manage both local and remote systems, it is important to identify the processes executed and the user context within which the activity occurred.", "narrative": "WMI is a Microsoft infrastructure for management data and operations on Windows operating systems. It includes of a set of utilities that can be leveraged to manage both local and remote Windows systems. Attackers are increasingly turning to WMI abuse in their efforts to conduct nefarious tasks, such as reconnaissance, detection of antivirus and virtual machines, code execution, lateral movement, persistence, and data exfiltration. The detection searches included in this Analytic Story are used to look for suspicious use of WMI commands that attackers may leverage to interact with remote systems. The searches specifically look for the use of WMI to run processes on remote systems. In the event that unauthorized WMI execution occurs, it will be important for analysts and investigators to determine the context of the event. These details may provide insights related to how WMI was used and to what end.", "references": ["https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf", "https://web.archive.org/web/20210921091529/https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html"], "tags": {"name": "Suspicious WMI Use", "analytic_story": "Suspicious WMI Use", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.003", "mitre_attack_technique": "Windows Management Instrumentation Event Subscription", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT33", "Blue Mockingbird", "FIN8", "Leviathan", "Metador", "Mustang Panda", "Turla"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1220", "mitre_attack_technique": "XSL Script Processing", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group", "Higaisa"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Detect WMI Event Subscription Persistence - Rule", "ESCU - PowerShell Invoke WmiExec Usage - Rule", "ESCU - Process Execution via WMI - Rule", "ESCU - Remote Process Instantiation via WMI - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Script Execution via WMI - Rule", "ESCU - Windows WMI Process Call Create - Rule", "ESCU - WMI Permanent Event Subscription - Rule", "ESCU - WMI Permanent Event Subscription - Sysmon - Rule", "ESCU - WMI Temporary Event Subscription - Rule", "ESCU - WMIC XSL Execution via URL - Rule", "ESCU - XSL Script Execution With WMIC - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Sysmon WMI Activity for Host - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Detect WMI Event Subscription Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation Event Subscription"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "PowerShell Invoke WmiExec Usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Process Execution via WMI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Remote Process Instantiation via WMI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Remote WMI Command Attempt", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Script Execution via WMI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Windows WMI Process Call Create", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "WMI Permanent Event Subscription", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "WMI Permanent Event Subscription - Sysmon", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation Event Subscription"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "WMI Temporary Event Subscription", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "WMIC XSL Execution via URL", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "XSL Script Processing"}]}}, {"name": "XSL Script Execution With WMIC", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "XSL Script Processing"}]}}]}, {"name": "Suspicious Zoom Child Processes", "author": "David Dorsey, Splunk", "date": "2020-04-13", "version": 1, "id": "aa3749a6-49c7-491e-a03f-4eaee5fe0258", "description": "Attackers are using Zoom as an vector to increase privileges on a sytems. This story detects new child processes of zoom and provides investigative actions for this detection.", "narrative": "Zoom is a leader in modern enterprise video communications and its usage has increased dramatically with a large amount of the population under stay-at-home orders due to the COVID-19 pandemic. With increased usage has come increased scrutiny and several security flaws have been found with this application on both Windows and macOS systems.\\\nCurrent detections focus on finding new child processes of this application on a per host basis. Investigative searches are included to gather information needed during an investigation.", "references": ["https://blog.rapid7.com/2020/04/02/dispelling-zoom-bugbears-what-you-need-to-know-about-the-latest-zoom-vulnerabilities/", "https://threatpost.com/two-zoom-zero-day-flaws-uncovered/154337/"], "tags": {"name": "Suspicious Zoom Child Processes", "analytic_story": "Suspicious Zoom Child Processes", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Execution", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Detect Prohibited Applications Spawning cmd exe - Rule", "ESCU - First Time Seen Child Process of Zoom - Rule"], "investigation_names": ["ESCU - Get Process File Activity - Response Task"], "baseline_names": ["ESCU - Previously Seen Zoom Child Processes - Initial", "ESCU - Previously Seen Zoom Child Processes - Update"], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Detect Prohibited Applications Spawning cmd exe", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}]}}, {"name": "First Time Seen Child Process of Zoom", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}]}, {"name": "Swift Slicer", "author": "Teoderick Contreras, Rod Soto, Splunk", "date": "2023-02-01", "version": 1, "id": "234c9dd7-52fb-4d6f-aec9-075ef88a2cea", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the swift slicer malware including overwriting of files and etc.", "narrative": "Swift Slicer is one of Windows destructive malware found by ESET that was used in a targeted organizarion to wipe critical files like windows drivers and other files to destroy and left the machine inoperable. This malware like Caddy Wiper was deliver through GPO which suggests that the attacker had taken control of the victims active directory environment.", "references": ["https://twitter.com/ESETresearch/status/1618960022150729728", "https://www.welivesecurity.com/2023/01/27/swiftslicer-new-destructive-wiper-malware-ukraine/"], "tags": {"name": "Swift Slicer", "analytic_story": "Swift Slicer", "category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}], "mitre_attack_tactics": ["Defense Evasion", "Impact", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Data Destruction Recursive Exec Files Deletion - Rule", "ESCU - Windows High File Deletion Frequency - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto, Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Windows Data Destruction Recursive Exec Files Deletion", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Windows High File Deletion Frequency", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}]}, {"name": "SysAid On-Prem Software CVE-2023-47246 Vulnerability", "author": "Michael Haag, Splunk", "date": "2023-11-09", "version": 1, "id": "228f22cb-3436-4c31-8af4-370d40af7b49", "description": "A zero-day vulnerability was discovered in SysAid's on-premise software, exploited by the group DEV-0950 (Lace Tempest). The attackers uploaded a WebShell and other payloads, gaining unauthorized access and control. SysAid has released a patch (version 23.3.36) to remediate the vulnerability and urges customers to conduct a comprehensive compromise assessment.", "narrative": "The analytics tagged to this analytic story will aid in capturing initial access and some post-exploitation activities. In addition to the application spawning a shell, consider reviewing STRT's Cobalt Strike and PowerShell script block logging analytic stories. On November 2nd, SysAid's security team identified a potential vulnerability in their on-premise software. The investigation revealed a zero-day vulnerability exploited by the group known as DEV-0950 (Lace Tempest). The attackers uploaded a WebShell and other payloads into the webroot of the SysAid Tomcat web service, thereby gaining unauthorized access and control over the affected system. SysAid promptly initiated their incident response protocol and began proactive communication with their on-premise customers to implement a mitigation solution. SysAid has released a patch (version 23.3.36) to remediate the vulnerability and strongly recommends all customers to conduct a comprehensive compromise assessment of their network.", "references": ["https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification"], "tags": {"name": "SysAid On-Prem Software CVE-2023-47246 Vulnerability", "analytic_story": "SysAid On-Prem Software CVE-2023-47246 Vulnerability", "category": ["Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}], "mitre_attack_tactics": ["Command And Control", "Execution", "Initial Access", "Persistence"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command And Control", "Delivery", "Installation"]}, "detection_names": ["ESCU - Any Powershell DownloadString - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Java Writing JSP File - Rule", "ESCU - Windows Java Spawning Shells - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}, {"name": "Java Writing JSP File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Windows Java Spawning Shells", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}]}, {"name": "Text4Shell CVE-2022-42889", "author": "Michael Haag, Splunk", "date": "2022-10-26", "version": 1, "id": "95ae800d-485e-47f7-866e-8be281aa497b", "description": "A new critical vulnerability CVE-2022-42889 a.k.a. Text4shell, similar to the old Spring4Shell and Log4Shell, was originally reported by Alvaro Munoz on the very popular Apache Commons Text library.", "narrative": "Apache Commons Text is a Java library described as \"a library focused on algorithms working on strings.\" We can see it as a general-purpose text manipulation toolkit. This vulnerability affects the StringSubstitutor interpolator class, which is included in the Commons Text library. A default interpolator allows for string lookups that can lead to Remote Code Execution. This is due to a logic flaw that makes the \"script,\" \"dns,\" and \"url\" lookup keys interpolated by default, as opposed to what it should be, according to the documentation of the StringLookupFactory class. Those keys allow an attacker to execute arbitrary code via lookups. In order to exploit the vulnerabilities, the following requirements must be met - Run a version of Apache Commons Text from version 1.5 to 1.9 and use the StringSubstitutor interpolator. It is important to specify that the StringSubstitutor interpolator is not as widely used as the string substitution in Log4j, which led to Log4Shell. According to the CVSSv3 system, it scores 9.8 as CRITICAL severity. The severity is Critical due to the easy exploitability and huge potential impact in terms of confidentiality, integrity, and availability. As we showed in the previous section, you can take full control over the vulnerable system with a crafted request. However, it is not likely the vulnerabilities will have the same impacts as the previous Log4Shell and Spring4Shell.", "references": ["https://sysdig.com/blog/cve-2022-42889-text4shell/"], "tags": {"name": "Text4Shell CVE-2022-42889", "analytic_story": "Text4Shell CVE-2022-42889", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Application Security", "mitre_attack_enrichments": [{"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}], "mitre_attack_tactics": ["Initial Access", "Persistence"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery", "Installation"]}, "detection_names": ["ESCU - Exploit Public Facing Application via Apache Commons Text - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Exploit Public Facing Application via Apache Commons Text", "source": "web", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}]}, {"name": "Trickbot", "author": "Rod Soto, Teoderick Contreras, Splunk", "date": "2021-04-20", "version": 1, "id": "16f93769-8342-44c0-9b1d-f131937cce8e", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the trickbot banking trojan, including looking for file writes associated with its payload, process injection, shellcode execution and data collection even in LDAP environment.", "narrative": "trickbot banking trojan campaigns targeting banks and other vertical sectors.This malware is known in Microsoft Windows OS where target security Microsoft Defender to prevent its detection and removal. steal Verizon credentials and targeting banks using its multi component modules that collect and exfiltrate data.", "references": ["https://en.wikipedia.org/wiki/Trickbot", "https://blog.checkpoint.com/2021/03/11/february-2021s-most-wanted-malware-trickbot-takes-over-following-emotet-shutdown/"], "tags": {"name": "Trickbot", "analytic_story": "Trickbot", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA2541", "TA551"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1590", "mitre_attack_technique": "Gather Victim Network Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["HAFNIUM"]}, {"mitre_attack_id": "T1590.005", "mitre_attack_technique": "IP Addresses", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["Andariel", "HAFNIUM", "Magic Hound"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}], "mitre_attack_tactics": ["Defense Evasion", "Discovery", "Execution", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - Account Discovery With Net App - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Mshta spawning Rundll32 OR Regsvr32 Process - Rule", "ESCU - Office Application Spawn rundll32 process - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning CertUtil - Rule", "ESCU - Powershell Remote Thread To Known Windows Process - Rule", "ESCU - Schedule Task with Rundll32 Command Trigger - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Rundll32 StartW - Rule", "ESCU - Trickbot Named Pipe - Rule", "ESCU - Wermgr Process Connecting To IP Check Web Services - Rule", "ESCU - Wermgr Process Create Executable File - Rule", "ESCU - Wermgr Process Spawned CMD Or Powershell Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Teoderick Contreras, Splunk", "author_name": "Rod Soto", "detections": [{"name": "Account Discovery With Net App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Attempt To Stop Security Service", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Cobalt Strike Named Pipes", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Mshta spawning Rundll32 OR Regsvr32 Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}, {"name": "Office Application Spawn rundll32 process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning CertUtil", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Powershell Remote Thread To Known Windows Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Schedule Task with Rundll32 Command Trigger", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious Rundll32 StartW", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Trickbot Named Pipe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Wermgr Process Connecting To IP Check Web Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Network Information"}, {"mitre_attack_technique": "IP Addresses"}]}}, {"name": "Wermgr Process Create Executable File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}}, {"name": "Wermgr Process Spawned CMD Or Powershell Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}]}, {"name": "Trusted Developer Utilities Proxy Execution", "author": "Michael Haag, Splunk", "date": "2021-01-12", "version": 1, "id": "270a67a6-55d8-11eb-ae93-0242ac130002", "description": "Monitor and detect behaviors used by attackers who leverage trusted developer utilities to execute malicious code.", "narrative": "Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering. These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions.\\\nThe searches in this story help you detect and investigate suspicious activity that may indicate that an adversary is leveraging microsoft.workflow.compiler.exe to execute malicious code.", "references": ["https://attack.mitre.org/techniques/T1127/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md", "https://lolbas-project.github.io/lolbas/Binaries/Microsoft.Workflow.Compiler/"], "tags": {"name": "Trusted Developer Utilities Proxy Execution", "analytic_story": "Trusted Developer Utilities Proxy Execution", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious microsoft workflow compiler usage - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Suspicious microsoft workflow compiler rename", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Suspicious microsoft workflow compiler usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}]}}]}, {"name": "Trusted Developer Utilities Proxy Execution MSBuild", "author": "Michael Haag, Splunk", "date": "2021-01-21", "version": 1, "id": "be3418e2-551b-11eb-ae93-0242ac130002", "description": "Monitor and detect techniques used by attackers who leverage the msbuild.exe process to execute malicious code.", "narrative": "Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio and is native to Windows. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.\\\nThe inline task capability of MSBuild that was introduced in .NET version 4 allows for C# code to be inserted into an XML project file. MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application control defenses that are configured to allow MSBuild.exe execution.\\\nThe searches in this story help you detect and investigate suspicious activity that may indicate that an adversary is leveraging msbuild.exe to execute malicious code.\\\nTriage\\\nValidate execution\\\n1. Determine if MSBuild.exe executed. Validate the OriginalFileName of MSBuild.exe and further PE metadata.\\\n1. Determine if script code was executed with MSBuild.\\\nSituational Awareness\\\nThe objective of this step is meant to identify suspicious behavioral indicators related to executed of Script code by MSBuild.exe.\\\n1. Parent process. Is the parent process a known LOLBin? Is the parent process an Office Application?\\\n1. Module loads. Are the known MSBuild.exe modules being loaded by a non-standard application? Is MSbuild loading any suspicious .DLLs?\\\n1. Network connections. Any network connections? Review the reputation of the remote IP or domain.\\\nRetrieval of script code\\\nThe objective of this step is to confirm the executed script code is benign or malicious.", "references": ["https://attack.mitre.org/techniques/T1127/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md", "https://github.com/infosecn1nja/MaliciousMacroMSBuild", "https://github.com/xorrior/RandomPS-Scripts/blob/master/Invoke-ExecuteMSBuild.ps1", "https://lolbas-project.github.io/lolbas/Binaries/Msbuild/", "https://github.com/MHaggis/CBR-Queries/blob/master/msbuild.md"], "tags": {"name": "Trusted Developer Utilities Proxy Execution MSBuild", "analytic_story": "Trusted Developer Utilities Proxy Execution MSBuild", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1127.001", "mitre_attack_technique": "MSBuild", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - MSBuild Suspicious Spawned By Script Process - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - Suspicious MSBuild Spawn - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "MSBuild Suspicious Spawned By Script Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "MSBuild"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}]}}, {"name": "Suspicious msbuild path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}}, {"name": "Suspicious MSBuild Rename", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}}, {"name": "Suspicious MSBuild Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "MSBuild"}]}}]}, {"name": "Unusual Processes", "author": "Bhavin Patel, Splunk", "date": "2020-02-04", "version": 2, "id": "f4368e3f-d59f-4192-84f6-748ac5a3ddb6", "description": "Quickly identify systems running new or unusual processes in your environment that could be indicators of suspicious activity. Processes run from unusual locations, those with conspicuously long command lines, and rare executables are all examples of activities that may warrant deeper investigation.", "narrative": "Being able to profile a host's processes within your environment can help you more quickly identify processes that seem out of place when compared to the rest of the population of hosts or asset types.\\\nThis Analytic Story lets you identify processes that are either a) not typically seen running or b) have some sort of suspicious command-line arguments associated with them. This Analytic Story will also help you identify the user running these processes and the associated process activity on the host.\\\nIn the event an unusual process is identified, it is imperative to better understand how that process was able to execute on the host, when it first executed, and whether other hosts are affected. This extra information may provide clues that can help the analyst further investigate any suspicious activity.", "references": ["https://web.archive.org/web/20210921093439/https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-two.html", "https://www.splunk.com/pdfs/technical-briefs/advanced-threat-detection-and-response-tech-brief.pdf", "https://www.sans.org/reading-room/whitepapers/logging/detecting-security-incidents-windows-workstation-event-logs-34262"], "tags": {"name": "Unusual Processes", "analytic_story": "Unusual Processes", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1036.005", "mitre_attack_technique": "Match Legitimate Name or Location", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT32", "APT39", "APT41", "Aoqin Dragon", "BRONZE BUTLER", "BackdoorDiplomacy", "Blue Mockingbird", "Carbanak", "Chimera", "Darkhotel", "Earth Lusca", "FIN13", "FIN7", "Ferocious Kitten", "Fox Kitten", "Gamaredon Group", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Poseidon Group", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "Sowbug", "TA2541", "TEMP.Veles", "TeamTNT", "Transparent Tribe", "Tropic Trooper", "Volt Typhoon", "WIRTE", "Whitefly", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1595", "mitre_attack_technique": "Active Scanning", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1036.008", "mitre_attack_technique": "Masquerade File Type", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Volt Typhoon"]}, {"mitre_attack_id": "T1218.012", "mitre_attack_technique": "Verclsid", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}, {"mitre_attack_id": "T1588.002", "mitre_attack_technique": "Tool", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT19", "APT28", "APT29", "APT32", "APT33", "APT38", "APT39", "APT41", "Aoqin Dragon", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Carbanak", "Chimera", "Cleaver", "Cobalt Group", "CopyKittens", "DarkHydrus", "DarkVishnya", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN5", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "GALLIUM", "Gorgon Group", "HEXANE", "Inception", "IndigoZebra", "Ke3chang", "Kimsuky", "LAPSUS$", "Lazarus Group", "Leafminer", "LuminousMoth", "Magic Hound", "Metador", "Moses Staff", "MuddyWater", "POLONIUM", "Patchwork", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "TA2541", "TA505", "TEMP.Veles", "Threat Group-3390", "Thrip", "Turla", "Volt Typhoon", "WIRTE", "Whitefly", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1027.011", "mitre_attack_technique": "Fileless Storage", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "Turla"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1134.004", "mitre_attack_technique": "Parent PID Spoofing", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Discovery", "Execution", "Initial Access", "Persistence", "Privilege Escalation", "Reconnaissance", "Resource Development"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Reconnaissance", "Weaponization"]}, "detection_names": ["ESCU - Uncommon Processes On Endpoint - Rule", "ESCU - Attacker Tools On Endpoint - Rule", "ESCU - Detect processes used for System Network Configuration Discovery - Rule", "ESCU - Detect Rare Executables - Rule", "ESCU - Rundll32 Shimcache Flush - Rule", "ESCU - RunDLL Loading DLL By Ordinal - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Suspicious Process Executed From Container File - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - Unusually Long Command Line - Rule", "ESCU - Unusually Long Command Line - MLTK - Rule", "ESCU - Verclsid CLSID Execution - Rule", "ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows NirSoft AdvancedRun - Rule", "ESCU - Windows Registry Payload Injection - Rule", "ESCU - Windows Remote Assistance Spawning Process - Rule", "ESCU - WinRM Spawning a Process - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": ["ESCU - Baseline of Command Line Length - MLTK"], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Uncommon Processes On Endpoint", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Malicious File"}]}}, {"name": "Attacker Tools On Endpoint", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Match Legitimate Name or Location"}, {"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "Active Scanning"}]}}, {"name": "Detect processes used for System Network Configuration Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Configuration Discovery"}]}}, {"name": "Detect Rare Executables", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Rundll32 Shimcache Flush", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "RunDLL Loading DLL By Ordinal", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Suspicious Copy on System32", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "Masquerading"}]}}, {"name": "Suspicious Process Executed From Container File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Malicious File"}, {"mitre_attack_technique": "Masquerade File Type"}]}}, {"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Unusually Long Command Line", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Unusually Long Command Line - MLTK", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Verclsid CLSID Execution", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Verclsid"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Windows DotNet Binary in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}}, {"name": "Windows NirSoft AdvancedRun", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Tool"}]}}, {"name": "Windows Registry Payload Injection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "Fileless Storage"}]}}, {"name": "Windows Remote Assistance Spawning Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "WinRM Spawning a Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}, {"name": "Wscript Or Cscript Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Parent PID Spoofing"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}]}, {"name": "Use of Cleartext Protocols", "author": "Bhavin Patel, Splunk", "date": "2017-09-15", "version": 1, "id": "826e6431-aeef-41b4-9fc0-6d0985d65a21", "description": "Leverage searches that detect cleartext network protocols that may leak credentials or should otherwise be encrypted.", "narrative": "Various legacy protocols operate by default in the clear, without the protections of encryption. This potentially leaks sensitive information that can be exploited by passively sniffing network traffic. Depending on the protocol, this information could be highly sensitive, or could allow for session hijacking. In addition, these protocols send authentication information, which would allow for the harvesting of usernames and passwords that could potentially be used to authenticate and compromise secondary systems.", "references": ["https://www.monkey.org/~dugsong/dsniff/"], "tags": {"name": "Use of Cleartext Protocols", "analytic_story": "Use of Cleartext Protocols", "category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Network_Traffic"], "kill_chain_phases": []}, "detection_names": ["ESCU - Protocols passing authentication in cleartext - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Process Information For Port Activity - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Protocols passing authentication in cleartext", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "VMware Aria Operations vRealize CVE-2023-20887", "author": "Michael Haag, Splunk", "date": "2023-06-21", "version": 1, "id": "99171cdd-57a1-4b8a-873c-f8bee12e2025", "description": "CVE-2023-20887 is a critical vulnerability affecting VMware's vRealize Network Insight (also known as VMware Aria Operations for Networks). It allows a remote, unauthenticated attacker to execute arbitrary commands with root privileges via the Apache Thrift RPC interface. The exploit, which has a severity score of 9.8, targets an endpoint (\"/saas./resttosaasservlet\") in the application and delivers a malicious payload designed to create a reverse shell, granting the attacker control over the system. VMware has released an advisory recommending users to update to the latest version to mitigate this threat.", "narrative": "CVE-2023-20887 is a highly critical vulnerability found in VMware's vRealize Network Insight. This software is widely used for intelligent operations management across physical, virtual, and cloud environments, so a vulnerability in it poses a significant risk to many organizations.\\\nThis particular vulnerability lies in the application's Apache Thrift RPC interface. The exploit allows an attacker to inject commands that are executed with root privileges, leading to a potential total compromise of the system. The attacker does not need to be authenticated, which further increases the risk posed by this vulnerability.\\\nThe exploit operates by sending a specially crafted payload to the \"/saas./resttosaasservlet\" endpoint. This payload contains a reverse shell command, which, when executed, allows the attacker to remotely control the victim's system. This control is obtained at the root level, providing the attacker with the ability to perform any action on the system.\\\nWhat makes this vulnerability particularly dangerous is its high severity score of 9.8, indicating it is a critical threat. It's also noteworthy that the exploitation of this vulnerability leaves specific indicators such as abnormal traffic to the \"/saas./resttosaasservlet\" endpoint and suspicious ncat commands in network traffic, which can help in its detection.\\\nVMware has acknowledged the vulnerability and has published a security advisory recommending that users update to the latest version of the software. This update effectively patches the vulnerability and protects systems from this exploit. It's crucial that all users of the affected versions of VMware's vRealize Network Insight promptly apply the update to mitigate the risk posed by CVE-2023-20887.", "references": ["https://nvd.nist.gov/vuln/detail/CVE-2023-20887", "https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/", "https://viz.greynoise.io/tag/VMware-aria-operations-for-networks-rce-attempt?days=30", "https://github.com/sinsinology/CVE-2023-20887"], "tags": {"name": "VMware Aria Operations vRealize CVE-2023-20887", "analytic_story": "VMware Aria Operations vRealize CVE-2023-20887", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1210", "mitre_attack_technique": "Exploitation of Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "Dragonfly", "Earth Lusca", "FIN7", "Fox Kitten", "MuddyWater", "Threat Group-3390", "Tonto Team", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - VMWare Aria Operations Exploit Attempt - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "VMWare Aria Operations Exploit Attempt", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "External Remote Services"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "Exploitation of Remote Services"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}]}, {"name": "VMware Server Side Injection and Privilege Escalation", "author": "Michael Haag, Splunk", "date": "2022-05-19", "version": 1, "id": "d6d51cc2-a092-43b7-9f61-1159943afe39", "description": "Recently disclosed CVE-2022-22954 and CVE-2022-22960 have been identified in the wild abusing VMware products to compromise internet faced devices and escalate privileges.", "narrative": "On April 6, 2022, VMware published VMSA-2022-0011, which discloses multiple vulnerabilities discovered by Steven Seeley (mr_me) of Qihoo 360 Vulnerability Research Institute. The most critical of the CVEs published in VMSA-2022-0011 is CVE-2022-22954, which is a server-side template injection issue with a CVSSv3 base score of 9.8. The vulnerability allows an unauthenticated user with network access to the web interface to execute an arbitrary shell command as the VMware user. To further exacerbate this issue, VMware also disclosed a local privilege escalation issue, CVE-2022-22960, which permits the attacker to gain root after exploiting CVE-2022-22954. Products affected include - VMware Workspace ONE Access (Access) 20.10.0.0 - 20.10.0.1, 21.08.0.0 - 21.08.0.1 and VMware Identity Manager (vIDM) 3.3.3 - 3.3.6.", "references": ["https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954/rapid7-analysis", "https://www.cisa.gov/uscert/ncas/alerts/aa22-138b"], "tags": {"name": "VMware Server Side Injection and Privilege Escalation", "analytic_story": "VMware Server Side Injection and Privilege Escalation", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}], "mitre_attack_tactics": ["Initial Access", "Persistence"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery", "Installation"]}, "detection_names": ["ESCU - VMware Server Side Template Injection Hunt - Rule", "ESCU - VMware Workspace ONE Freemarker Server-side Template Injection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "VMware Server Side Template Injection Hunt", "source": "web", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "VMware Workspace ONE Freemarker Server-side Template Injection", "source": "web", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}]}, {"name": "Volt Typhoon", "author": "Teoderick Contreras, Splunk", "date": "2023-05-25", "version": 1, "id": "f73010e4-49eb-44ef-9f3f-2c25a1ae5415", "description": "This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the \"Volt Typhoon\" group targeting critical infrastructure organizations in United States and Guam. The affected organizations include the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors. This Analytic story looks for suspicious process execution, lolbin execution, command-line activity, lsass dump and many more.", "narrative": "Volt Typhoon is a state sponsored group typically focuses on espionage and information gathering.\\ Based on Microsoft Threat Intelligence, This threat actor group puts strong emphasis on stealth in this campaign by relying almost exclusively on living-off-the-land techniques and hands-on-keyboard activity. \\ They issue commands via the command line to :\\ (1) collect data, including credentials from local and network systems, \\ (2) put the data into an archive file to stage it for exfiltration, and then \\ (3) use the stolen valid credentials to maintain persistence. \\ In addition, Volt Typhoon tries to blend into normal network activity by routing traffic through compromised small office and home office (SOHO) network equipment, including routers, firewalls, and VPN hardware. They have also been observed using custom versions of open-source tools to establish a command and control (C2) channel over proxy to further stay under the radar.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"name": "Volt Typhoon", "analytic_story": "Volt Typhoon", "category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MoustachedBouncer", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}, {"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "FIN13", "TA505"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "FIN7", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla", "Volt Typhoon"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1590.002", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1090.001", "mitre_attack_technique": "Internal Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT39", "FIN13", "Higaisa", "Lazarus Group", "Strider", "Turla", "Volt Typhoon"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "MoustachedBouncer", "POLONIUM", "Sandworm Team", "Turla", "Volt Typhoon", "Windigo"]}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Defense Evasion", "Discovery", "Execution", "Impact", "Lateral Movement", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Creation of Shadow Copy - Rule", "ESCU - Creation of Shadow Copy with wmic and powershell - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Elevated Group Discovery With Net - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Extraction of Registry Hives - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows DNS Gather Network Info - Rule", "ESCU - Windows Ldifde Directory Object Behavior - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos - Rule", "ESCU - Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos - Rule", "ESCU - Windows Multiple Invalid Users Fail To Authenticate Using Kerberos - Rule", "ESCU - Windows Multiple Invalid Users Failed To Authenticate Using NTLM - Rule", "ESCU - Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials - Rule", "ESCU - Windows Multiple Users Failed To Authenticate From Host Using NTLM - Rule", "ESCU - Windows Multiple Users Failed To Authenticate From Process - Rule", "ESCU - Windows Multiple Users Failed To Authenticate Using Kerberos - Rule", "ESCU - Windows Multiple Users Remotely Failed To Authenticate From Host - Rule", "ESCU - Windows Proxy Via Netsh - Rule", "ESCU - Windows Proxy Via Registry - Rule", "ESCU - Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM - Rule", "ESCU - Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials - Rule", "ESCU - Windows Unusual Count Of Users Failed To Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Users Failed To Authenticate From Process - Rule", "ESCU - Windows Unusual Count Of Users Failed To Authenticate Using NTLM - Rule", "ESCU - Windows Unusual Count Of Users Remotely Failed To Auth From Host - Rule", "ESCU - Windows WMI Process Call Create - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}}, {"name": "Creation of Shadow Copy", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Creation of Shadow Copy with wmic and powershell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Elevated Group Discovery With Net", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Extraction of Registry Hives", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}}, {"name": "Malicious PowerShell Process - Execution Policy Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}}, {"name": "Network Connection Discovery With Arp", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Ntdsutil Export NTDS", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Processes launching netsh", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Remote WMI Command Attempt", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Suspicious Copy on System32", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "Masquerading"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "System Network Connections Discovery"}, {"mitre_attack_technique": "System Owner/User Discovery"}, {"mitre_attack_technique": "System Shutdown/Reboot"}, {"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows DNS Gather Network Info", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DNS"}]}}, {"name": "Windows Ldifde Directory Object Behavior", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "Windows Mimikatz Binary Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Invalid Users Fail To Authenticate Using Kerberos", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Invalid Users Failed To Authenticate Using NTLM", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Users Failed To Authenticate From Host Using NTLM", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Users Failed To Authenticate From Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Users Failed To Authenticate Using Kerberos", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Users Remotely Failed To Authenticate From Host", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Proxy Via Netsh", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Internal Proxy"}, {"mitre_attack_technique": "Proxy"}]}}, {"name": "Windows Proxy Via Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Internal Proxy"}, {"mitre_attack_technique": "Proxy"}]}}, {"name": "Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Users Failed To Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Users Failed To Authenticate From Process", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Users Failed To Authenticate Using NTLM", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Users Remotely Failed To Auth From Host", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows WMI Process Call Create", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}]}, {"name": "Warzone RAT", "author": "Teoderick Contreras, Splunk", "date": "2023-07-26", "version": 1, "id": "8dc84752-f4da-4285-931c-bddd5c4d440b", "description": "This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might related to warzone (Ave maria) RAT. This analytic story looks for suspicious process execution, command-line activity, downloads, persistence, defense evasion and more.", "narrative": "Warzone RAT, also known as Ave Maria, is a sophisticated remote access trojan (RAT) that surfaced in January 2019. Originally offered as malware-as-a-service (MaaS), it rapidly gained notoriety and became one of the most prominent malware strains by 2020. Its exceptional capabilities in stealth and anti-analysis techniques make it a formidable threat in various campaigns, including those targeting sensitive geopolitical entities. The malware's impact is particularly concerning as it has been associated with attacks aimed at compromising government employees and military personnel, notably within India's National Informatics Centre (NIC). Its deployment by several advanced persistent threat (APT) groups further underlines its potency and adaptability in the hands of skilled threat actors. Warzone RAT's capabilities enable attackers to gain unauthorized access to targeted systems, facilitating data theft, surveillance, and the potential to wreak havoc on critical infrastructures. As the threat landscape continues to evolve, vigilance and robust cybersecurity measures are crucial in defending against such malicious tools.\" This version provides more context and elaborates on the malware's capabilities and potential impact. Additionally, it emphasizes the importance of cybersecurity measures to combat such threats effectively.", "references": ["https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/warzone#:~:text=Warzone%20RAT%20(AKA%20Ave%20Maria)%20is%20a%20remote%20access%20trojan,is%20as%20an%20information%20stealer.", "https://tccontre.blogspot.com/2020/02/2-birds-in-one-stone-ave-maria-wshrat.html"], "tags": {"name": "Warzone RAT", "analytic_story": "Warzone RAT", "category": ["Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1497", "mitre_attack_technique": "Virtualization/Sandbox Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": ["Darkhotel"]}, {"mitre_attack_id": "T1497.003", "mitre_attack_technique": "Time Based Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "Volt Typhoon", "ZIRCONIUM"]}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1553.005", "mitre_attack_technique": "Mark-of-the-Web Bypass", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "TA505"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1055.002", "mitre_attack_technique": "Portable Executable Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Gorgon Group", "Rocke"]}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Discovery", "Execution", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Create Remote Thread In Shell Application - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Hide User Account From Sign-In Screen - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Application Drop Executable - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Ping Sleep Batch Command - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Bypass UAC via Pkgmgr Tool - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows Defender Exclusion Registry Entry - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Mark Of The Web Bypass - Rule", "ESCU - Windows Modify Registry MaxConnectionPerServer - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Windows Process Injection Remote Thread - Rule", "ESCU - Windows Unsigned DLL Side-Loading - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Create Remote Thread In Shell Application", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Hide User Account From Sign-In Screen", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}}, {"name": "Office Application Drop Executable", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Ping Sleep Batch Command", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Virtualization/Sandbox Evasion"}, {"mitre_attack_technique": "Time Based Evasion"}]}}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Windows Bypass UAC via Pkgmgr Tool", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}]}}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows Defender Exclusion Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Malicious Link"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "Windows Mark Of The Web Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Mark-of-the-Web Bypass"}]}}, {"name": "Windows Modify Registry MaxConnectionPerServer", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Windows Process Injection Remote Thread", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Portable Executable Injection"}]}}, {"name": "Windows Unsigned DLL Side-Loading", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Side-Loading"}]}}]}, {"name": "WhisperGate", "author": "Teoderick Contreras, Splunk", "date": "2022-01-19", "version": 1, "id": "0150e6e5-3171-442e-83f8-1ccd8599569b", "description": "This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the destructive malware targeting Ukrainian organizations also known as \"WhisperGate\". This analytic story looks for suspicious process execution, command-line activity, downloads, DNS queries and more.", "narrative": "WhisperGate/DEV-0586 is destructive malware operation found by MSTIC (Microsoft Threat Inteligence Center) targeting multiple organizations in Ukraine. This operation campaign consist of several malware component like the downloader that abuses discord platform, overwrite or destroy master boot record (MBR) of the targeted host, wiper and also windows defender evasion techniques.", "references": ["https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3"], "tags": {"name": "WhisperGate", "analytic_story": "WhisperGate", "category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1497", "mitre_attack_technique": "Virtualization/Sandbox Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": ["Darkhotel"]}, {"mitre_attack_id": "T1497.003", "mitre_attack_technique": "Time Based Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1059.005", "mitre_attack_technique": "Visual Basic", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT33", "APT37", "APT38", "APT39", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Earth Lusca", "FIN13", "FIN4", "FIN7", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "Transparent Tribe", "Turla", "WIRTE", "Windshift"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}, {"mitre_attack_id": "T1588.002", "mitre_attack_technique": "Tool", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT19", "APT28", "APT29", "APT32", "APT33", "APT38", "APT39", "APT41", "Aoqin Dragon", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Carbanak", "Chimera", "Cleaver", "Cobalt Group", "CopyKittens", "DarkHydrus", "DarkVishnya", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN5", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "GALLIUM", "Gorgon Group", "HEXANE", "Inception", "IndigoZebra", "Ke3chang", "Kimsuky", "LAPSUS$", "Lazarus Group", "Leafminer", "LuminousMoth", "Magic Hound", "Metador", "Moses Staff", "MuddyWater", "POLONIUM", "Patchwork", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "TA2541", "TA505", "TEMP.Veles", "Threat Group-3390", "Thrip", "Turla", "Volt Typhoon", "WIRTE", "Whitefly", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1561.002", "mitre_attack_technique": "Disk Structure Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1561", "mitre_attack_technique": "Disk Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1134.004", "mitre_attack_technique": "Parent PID Spoofing", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}], "mitre_attack_tactics": ["Defense Evasion", "Discovery", "Execution", "Impact", "Lateral Movement", "Persistence", "Privilege Escalation", "Resource Development"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation", "Weaponization"]}, "detection_names": ["ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Excessive File Deletion In WinDefender Folder - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Ping Sleep Batch Command - Rule", "ESCU - Powershell Remove Windows Defender Directory - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Process Deleting Its Process File Path - Rule", "ESCU - Suspicious Process DNS Query Known Abuse Web Services - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Process With Discord DNS Query - Rule", "ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows High File Deletion Frequency - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows NirSoft AdvancedRun - Rule", "ESCU - Windows NirSoft Utilities - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Add or Set Windows Defender Exclusion", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Attempt To Stop Security Service", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Excessive File Deletion In WinDefender Folder", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}}, {"name": "Ping Sleep Batch Command", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Virtualization/Sandbox Evasion"}, {"mitre_attack_technique": "Time Based Evasion"}]}}, {"name": "Powershell Remove Windows Defender Directory", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Process Deleting Its Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Suspicious Process DNS Query Known Abuse Web Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious Process With Discord DNS Query", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows DotNet Binary in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}}, {"name": "Windows High File Deletion Frequency", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}}, {"name": "Windows NirSoft AdvancedRun", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Tool"}]}}, {"name": "Windows NirSoft Utilities", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Tool"}]}}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}}, {"name": "Wscript Or Cscript Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Parent PID Spoofing"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}]}, {"name": "Windows Attack Surface Reduction", "author": "Michael Haag, Splunk", "date": "2023-11-27", "version": 1, "id": "1d61c474-3cd6-4c23-8c68-f128ac4b209b", "description": "This story contains detections for Windows Attack Surface Reduction (ASR) events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This story contains detections for ASR events that are generated when a process or application attempts to perform an action that is blocked by an ASR rule.", "narrative": "This story contains detections for Windows Attack Surface Reduction (ASR) events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This story contains detections for ASR events that are generated when a process or application attempts to perform an action that is blocked by an ASR rule. It includes detections for both block and audit event IDs. Block event IDs are generated when an action is blocked by an ASR rule, while audit event IDs are generated when an action that would be blocked by an ASR rule is allowed to proceed for auditing purposes.", "references": ["https://asrgen.streamlit.app/", "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-worldwide"], "tags": {"name": "Windows Attack Surface Reduction", "analytic_story": "Windows Attack Surface Reduction", "category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566.002", "mitre_attack_technique": "Spearphishing Link", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Initial Access"], "datamodels": [], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Windows Defender ASR Audit Events - Rule", "ESCU - Windows Defender ASR Block Events - Rule", "ESCU - Windows Defender ASR Registry Modification - Rule", "ESCU - Windows Defender ASR Rule Disabled - Rule", "ESCU - Windows Defender ASR Rules Stacking - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Defender ASR Audit Events", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Spearphishing Link"}]}}, {"name": "Windows Defender ASR Block Events", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Spearphishing Link"}]}}, {"name": "Windows Defender ASR Registry Modification", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Defender ASR Rule Disabled", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Defender ASR Rules Stacking", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Spearphishing Link"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}]}, {"name": "Windows BootKits", "author": "Michael Haag, Splunk", "date": "2023-05-03", "version": 1, "id": "1bef004d-23b2-4c49-8ceb-b59af0745317", "description": "Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.", "narrative": "A bootkit is a sophisticated type of malware that targets the boot sectors of a hard drive, specifically the Master Boot Record (MBR) and Volume Boot Record (VBR). The MBR is the initial section of the disk that is loaded following the hardware initialization process executed by the Basic Input/Output System (BIOS). It houses the boot loader, which is responsible for loading the operating system. In contrast, the VBR is located at the beginning of each partition and contains the boot code for that specific partition. When an adversary gains raw access to the boot drive, they can overwrite the MBR or VBR, effectively diverting the execution during startup from the standard boot loader to the malicious code injected by the attacker. This tampering allows the malware to load before the operating system, enabling it to execute malicious activities stealthily and maintain persistence on the compromised system. Bootkits are particularly dangerous because they can bypass security measures implemented by the operating system and antivirus software. Since they load before the operating system, they can easily evade detection and manipulate the system's behavior from the earliest stages of the boot process. This capability makes bootkits a potent tool in an attacker's arsenal for gaining unauthorized access, stealing sensitive information, or launching further attacks on other systems. To defend against bootkit attacks, organizations should implement multiple layers of security, including strong endpoint protection, regular software updates, user awareness training, and monitoring for unusual system behavior. Additionally, hardware-based security features, such as Unified Extensible Firmware Interface (UEFI) Secure Boot and Trusted Platform Module (TPM), can help protect the integrity of the boot process and reduce the risk of bootkit infections.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/", "https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/"], "tags": {"name": "Windows BootKits", "analytic_story": "Windows BootKits", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1542.001", "mitre_attack_technique": "System Firmware", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1542", "mitre_attack_technique": "Pre-OS Boot", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Windows BootLoader Inventory - Rule", "ESCU - Windows Registry BootExecute Modification - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows BootLoader Inventory", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Firmware"}, {"mitre_attack_technique": "Pre-OS Boot"}]}}, {"name": "Windows Registry BootExecute Modification", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Pre-OS Boot"}, {"mitre_attack_technique": "Registry Run Keys / Startup Folder"}]}}]}, {"name": "Windows Certificate Services", "author": "Michael Haag, Splunk", "date": "2023-02-01", "version": 1, "id": "b92b4ac7-0026-4408-a6b5-c1d20658e124", "description": "Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material.", "narrative": "The following analytic story focuses on remote and local endpoint certificate theft and abuse. Authentication certificates can be both stolen and forged. For example, AD CS certificates can be stolen from encrypted storage (in the Registry or files), misplaced certificate files (i.e. Unsecured Credentials), or directly from the Windows certificate store via various crypto APIs.With appropriate enrollment rights, users and/or machines within a domain can also request and/or manually renew certificates from enterprise certificate authorities (CA). This enrollment process defines various settings and permissions associated with the certificate. Abusing certificates for authentication credentials may enable other behaviors such as Lateral Movement. Certificate-related misconfigurations may also enable opportunities for Privilege Escalation, by way of allowing users to impersonate or assume privileged accounts or permissions via the identities (SANs) associated with a certificate. These abuses may also enable Persistence via stealing or forging certificates that can be used as Valid Accounts for the duration of the certificate's validity, despite user password resets. Authentication certificates can also be stolen and forged for machine accounts. (MITRE ATT&CK)", "references": ["https://attack.mitre.org/techniques/T1649/"], "tags": {"name": "Windows Certificate Services", "analytic_story": "Windows Certificate Services", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1552.004", "mitre_attack_technique": "Private Keys", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Collection", "Command And Control", "Credential Access", "Defense Evasion", "Execution", "Lateral Movement"], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": ["Command And Control", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Certutil exe certificate extraction - Rule", "ESCU - Detect Certify Command Line Arguments - Rule", "ESCU - Detect Certify With PowerShell Script Block Logging - Rule", "ESCU - Detect Certipy File Modifications - Rule", "ESCU - Steal or Forge Authentication Certificates Behavior Identified - Rule", "ESCU - Windows Export Certificate - Rule", "ESCU - Windows Mimikatz Crypto Export File Extensions - Rule", "ESCU - Windows PowerShell Export Certificate - Rule", "ESCU - Windows PowerShell Export PfxCertificate - Rule", "ESCU - Windows Steal Authentication Certificates - ESC1 Abuse - Rule", "ESCU - Windows Steal Authentication Certificates - ESC1 Authentication - Rule", "ESCU - Windows Steal Authentication Certificates Certificate Issued - Rule", "ESCU - Windows Steal Authentication Certificates Certificate Request - Rule", "ESCU - Windows Steal Authentication Certificates CertUtil Backup - Rule", "ESCU - Windows Steal Authentication Certificates CryptoAPI - Rule", "ESCU - Windows Steal Authentication Certificates CS Backup - Rule", "ESCU - Windows Steal Authentication Certificates Export Certificate - Rule", "ESCU - Windows Steal Authentication Certificates Export PfxCertificate - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Certutil exe certificate extraction", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "Detect Certify Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Detect Certify With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Detect Certipy File Modifications", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}, {"mitre_attack_technique": "Archive Collected Data"}]}}, {"name": "Steal or Forge Authentication Certificates Behavior Identified", "source": "endpoint", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}}, {"name": "Windows Export Certificate", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Private Keys"}, {"mitre_attack_technique": "Unsecured Credentials"}, {"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}}, {"name": "Windows Mimikatz Crypto Export File Extensions", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}}, {"name": "Windows PowerShell Export Certificate", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Private Keys"}, {"mitre_attack_technique": "Unsecured Credentials"}, {"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}}, {"name": "Windows PowerShell Export PfxCertificate", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Private Keys"}, {"mitre_attack_technique": "Unsecured Credentials"}, {"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}}, {"name": "Windows Steal Authentication Certificates - ESC1 Abuse", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}}, {"name": "Windows Steal Authentication Certificates - ESC1 Authentication", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}, {"mitre_attack_technique": "Use Alternate Authentication Material"}]}}, {"name": "Windows Steal Authentication Certificates Certificate Issued", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}}, {"name": "Windows Steal Authentication Certificates Certificate Request", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}}, {"name": "Windows Steal Authentication Certificates CertUtil Backup", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}}, {"name": "Windows Steal Authentication Certificates CryptoAPI", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}}, {"name": "Windows Steal Authentication Certificates CS Backup", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}}, {"name": "Windows Steal Authentication Certificates Export Certificate", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}}, {"name": "Windows Steal Authentication Certificates Export PfxCertificate", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}}]}, {"name": "Windows Defense Evasion Tactics", "author": "David Dorsey, Splunk", "date": "2018-05-31", "version": 1, "id": "56e24a28-5003-4047-b2db-e8f3c4618064", "description": "Detect tactics used by malware to evade defenses on Windows endpoints. A few of these include suspicious `reg.exe` processes, files hidden with `attrib.exe` and disabling user-account control, among many others ", "narrative": "Defense evasion is a tactic--identified in the MITRE ATT&CK framework--that adversaries employ in a variety of ways to bypass or defeat defensive security measures. There are many techniques enumerated by the MITRE ATT&CK framework that are applicable in this context. This Analytic Story includes searches designed to identify the use of such techniques on Windows platforms.", "references": ["https://attack.mitre.org/wiki/Defense_Evasion"], "tags": {"name": "Windows Defense Evasion Tactics", "analytic_story": "Windows Defense Evasion Tactics", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1564.001", "mitre_attack_technique": "Hidden Files and Directories", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "FIN13", "HAFNIUM", "Lazarus Group", "LuminousMoth", "Mustang Panda", "Rocke", "Transparent Tribe", "Tropic Trooper"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1027.004", "mitre_attack_technique": "Compile After Delivery", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Gamaredon Group", "MuddyWater", "Rocke"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1564", "mitre_attack_technique": "Hide Artifacts", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1222.001", "mitre_attack_technique": "Windows File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1218.014", "mitre_attack_technique": "MMC", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1564.004", "mitre_attack_technique": "NTFS File Attributes", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1562.002", "mitre_attack_technique": "Disable Windows Event Logging", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound", "Threat Group-3390"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1505.004", "mitre_attack_technique": "IIS Components", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1574.001", "mitre_attack_technique": "DLL Search Order Hijacking", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT41", "Aquatic Panda", "BackdoorDiplomacy", "Evilnum", "RTM", "Threat Group-3390", "Tonto Team", "Whitefly", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1134.004", "mitre_attack_technique": "Parent PID Spoofing", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1055.001", "mitre_attack_technique": "Dynamic-link Library Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["BackdoorDiplomacy", "Lazarus Group", "Leviathan", "Putter Panda", "TA505", "Tropic Trooper", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}], "mitre_attack_tactics": ["Defense Evasion", "Discovery", "Execution", "Impact", "Persistence", "Privilege Escalation"], "datamodels": ["Change", "Endpoint", "Risk", "Web"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Reg exe used to hide files directories via registry keys - Rule", "ESCU - Remote Registry Key modifications - Rule", "ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - CSC Net On The Fly Compilation - Rule", "ESCU - Disable Registry Tool - Rule", "ESCU - Disable Security Logs Using MiniNt Registry - Rule", "ESCU - Disable Show Hidden Files - Rule", "ESCU - Disable UAC Remote Restriction - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Disable Windows SmartScreen Protection - Rule", "ESCU - Disabling CMD Application - Rule", "ESCU - Disabling ControlPanel - Rule", "ESCU - Disabling Firewall with Netsh - Rule", "ESCU - Disabling FolderOptions Windows Feature - Rule", "ESCU - Disabling NoRun Windows App - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Disabling SystemRestore In Registry - Rule", "ESCU - Disabling Task Manager - Rule", "ESCU - Eventvwr UAC Bypass - Rule", "ESCU - Excessive number of service control start as disabled - Rule", "ESCU - Firewall Allowed Program Enable - Rule", "ESCU - FodHelper UAC Bypass - Rule", "ESCU - Hiding Files And Directories With Attrib exe - Rule", "ESCU - NET Profiler UAC bypass - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Sdclt UAC Bypass - Rule", "ESCU - SilentCleanup UAC Bypass - Rule", "ESCU - SLUI RunAs Elevated - Rule", "ESCU - SLUI Spawning a Process - Rule", "ESCU - Suspicious Reg exe Process - Rule", "ESCU - UAC Bypass MMC Load Unsigned Dll - Rule", "ESCU - Windows Alternate DataStream - Base64 Content - Rule", "ESCU - Windows Alternate DataStream - Executable Content - Rule", "ESCU - Windows Alternate DataStream - Process Execution - Rule", "ESCU - Windows Command and Scripting Interpreter Hunting Path Traversal - Rule", "ESCU - Windows Command and Scripting Interpreter Path Traversal Exec - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows Defender Exclusion Registry Entry - Rule", "ESCU - Windows Disable Change Password Through Registry - Rule", "ESCU - Windows Disable Lock Workstation Feature Through Registry - Rule", "ESCU - Windows Disable Notification Center - Rule", "ESCU - Windows Disable Windows Event Logging Disable HTTP Logging - Rule", "ESCU - Windows Disable Windows Group Policy Features Through Registry - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows DISM Remove Defender - Rule", "ESCU - Windows DLL Search Order Hijacking Hunt - Rule", "ESCU - Windows DLL Search Order Hijacking Hunt with Sysmon - Rule", "ESCU - Windows DLL Search Order Hijacking with iscsicpl - Rule", "ESCU - Windows Event For Service Disabled - Rule", "ESCU - Windows Excessive Disabled Services Event - Rule", "ESCU - Windows Hide Notification Features Through Registry - Rule", "ESCU - Windows Impair Defense Delete Win Defender Context Menu - Rule", "ESCU - Windows Impair Defense Delete Win Defender Profile Registry - Rule", "ESCU - Windows Impair Defenses Disable HVCI - Rule", "ESCU - Windows Impair Defenses Disable Win Defender Auto Logging - Rule", "ESCU - Windows Modify Show Compress Color And Info Tip Registry - Rule", "ESCU - Windows Parent PID Spoofing with Explorer - Rule", "ESCU - Windows PowerShell Disable HTTP Logging - Rule", "ESCU - Windows Process With NamedPipe CommandLine - Rule", "ESCU - Windows Rasautou DLL Execution - Rule", "ESCU - Windows UAC Bypass Suspicious Child Process - Rule", "ESCU - Windows UAC Bypass Suspicious Escalation Behavior - Rule", "ESCU - WSReset UAC Bypass - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Reg exe used to hide files directories via registry keys", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hidden Files and Directories"}]}}, {"name": "Remote Registry Key modifications", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "Add or Set Windows Defender Exclusion", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "CSC Net On The Fly Compilation", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compile After Delivery"}, {"mitre_attack_technique": "Obfuscated Files or Information"}]}}, {"name": "Disable Registry Tool", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Disable Security Logs Using MiniNt Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Disable Show Hidden Files", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hidden Files and Directories"}, {"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Hide Artifacts"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Disable UAC Remote Restriction", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Windows SmartScreen Protection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disabling CMD Application", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Disabling ControlPanel", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Disabling Firewall with Netsh", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disabling FolderOptions Windows Feature", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disabling NoRun Windows App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Disabling Remote User Account Control", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Disabling SystemRestore In Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Disabling Task Manager", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Eventvwr UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Excessive number of service control start as disabled", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Firewall Allowed Program Enable", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "FodHelper UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}, {"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Hiding Files And Directories With Attrib exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "Windows File and Directory Permissions Modification"}]}}, {"name": "NET Profiler UAC bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Sdclt UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "SilentCleanup UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "SLUI RunAs Elevated", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "SLUI Spawning a Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Suspicious Reg exe Process", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "UAC Bypass MMC Load Unsigned Dll", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}, {"mitre_attack_technique": "MMC"}]}}, {"name": "Windows Alternate DataStream - Base64 Content", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hide Artifacts"}, {"mitre_attack_technique": "NTFS File Attributes"}]}}, {"name": "Windows Alternate DataStream - Executable Content", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hide Artifacts"}, {"mitre_attack_technique": "NTFS File Attributes"}]}}, {"name": "Windows Alternate DataStream - Process Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hide Artifacts"}, {"mitre_attack_technique": "NTFS File Attributes"}]}}, {"name": "Windows Command and Scripting Interpreter Hunting Path Traversal", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows Command and Scripting Interpreter Path Traversal Exec", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "System Network Connections Discovery"}, {"mitre_attack_technique": "System Owner/User Discovery"}, {"mitre_attack_technique": "System Shutdown/Reboot"}, {"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows Defender Exclusion Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Disable Change Password Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Disable Lock Workstation Feature Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Disable Notification Center", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Disable Windows Event Logging Disable HTTP Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable Windows Event Logging"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}}, {"name": "Windows Disable Windows Group Policy Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows DISM Remove Defender", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows DLL Search Order Hijacking Hunt", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Search Order Hijacking"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Windows DLL Search Order Hijacking Hunt with Sysmon", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Search Order Hijacking"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Windows DLL Search Order Hijacking with iscsicpl", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Search Order Hijacking"}]}}, {"name": "Windows Event For Service Disabled", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Excessive Disabled Services Event", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Hide Notification Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Impair Defense Delete Win Defender Context Menu", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Impair Defense Delete Win Defender Profile Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Impair Defenses Disable HVCI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Impair Defenses Disable Win Defender Auto Logging", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Modify Show Compress Color And Info Tip Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Parent PID Spoofing with Explorer", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Parent PID Spoofing"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}, {"name": "Windows PowerShell Disable HTTP Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Disable Windows Event Logging"}, {"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}}, {"name": "Windows Process With NamedPipe CommandLine", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Windows Rasautou DLL Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Dynamic-link Library Injection"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Process Injection"}]}}, {"name": "Windows UAC Bypass Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}, {"mitre_attack_technique": "Bypass User Account Control"}]}}, {"name": "Windows UAC Bypass Suspicious Escalation Behavior", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}, {"mitre_attack_technique": "Bypass User Account Control"}]}}, {"name": "WSReset UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}]}, {"name": "Windows Discovery Techniques", "author": "Michael Hart, Splunk", "date": "2021-03-04", "version": 1, "id": "f7aba570-7d59-11eb-825e-acde48001122", "description": "Monitors for behaviors associated with adversaries discovering objects in the environment that can be leveraged in the progression of the attack.", "narrative": "Attackers may not have much if any insight into their target's environment before the initial compromise.  Once a foothold has been established, attackers will start enumerating objects in the environment (accounts, services, network shares, etc.) that can be used to achieve their objectives.  This Analytic Story provides searches to help identify activities consistent with adversaries gaining knowledge of compromised Windows environments.", "references": ["https://attack.mitre.org/tactics/TA0007/", "https://cyberd.us/penetration-testing", "https://attack.mitre.org/software/S0521/"], "tags": {"name": "Windows Discovery Techniques", "analytic_story": "Windows Discovery Techniques", "category": ["Adversary Tactics"], "product": ["Splunk Behavioral Analytics", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "FIN13", "TA505"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}], "mitre_attack_tactics": ["Discovery"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Net Localgroup Discovery - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Hart", "detections": [{"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}}]}, {"name": "Windows DNS SIGRed CVE-2020-1350", "author": "Shannon Davis, Splunk", "date": "2020-07-28", "version": 1, "id": "36dbb206-d073-11ea-87d0-0242ac130003", "description": "Uncover activity consistent with CVE-2020-1350, or SIGRed. Discovered by Checkpoint researchers, this vulnerability affects Windows 2003 to 2019, and is triggered by a malicious DNS response (only affects DNS over TCP). An attacker can use the malicious payload to cause a buffer overflow on the vulnerable system, leading to compromise.  The included searches in this Analytic Story are designed to identify the large response payload for SIG and KEY DNS records which can be used for the exploit.", "narrative": "When a client requests a DNS record for a particular domain, that request gets routed first through the client's locally configured DNS server, then to any DNS server(s) configured as forwarders, and then onto the target domain's own DNS server(s).  If a attacker wanted to, they could host a malicious DNS server that responds to the initial request with a specially crafted large response (~65KB).  This response would flow through to the client's local DNS server, which if not patched for CVE-2020-1350, would cause the buffer overflow. The detection searches in this Analytic Story use wire data to detect the malicious behavior. Searches for Splunk Stream and Zeek are included.  The Splunk Stream search correlates across stream:dns and stream:tcp, while the Zeek search correlates across bro:dns:json and bro:conn:json.  These correlations are required to pick up both the DNS record types (SIG and KEY) along with the payload size (>65KB).", "references": ["https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", "https://support.microsoft.com/en-au/help/4569509/windows-dns-server-remote-code-execution-vulnerability"], "tags": {"name": "Windows DNS SIGRed CVE-2020-1350", "analytic_story": "Windows DNS SIGRed CVE-2020-1350", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1203", "mitre_attack_technique": "Exploitation for Client Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT12", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT41", "Andariel", "Aoqin Dragon", "Axiom", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "Higaisa", "Inception", "Lazarus Group", "Leviathan", "MuddyWater", "Mustang Panda", "Patchwork", "Sandworm Team", "Sidewinder", "TA459", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "admin@338"]}], "mitre_attack_tactics": ["Execution"], "datamodels": ["Network_Resolution", "Network_Traffic"], "kill_chain_phases": ["Installation"]}, "detection_names": ["ESCU - Detect Windows DNS SIGRed via Splunk Stream - Rule", "ESCU - Detect Windows DNS SIGRed via Zeek - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Shannon Davis", "detections": [{"name": "Detect Windows DNS SIGRed via Splunk Stream", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Client Execution"}]}}, {"name": "Detect Windows DNS SIGRed via Zeek", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Client Execution"}]}}]}, {"name": "Windows Drivers", "author": "Michael Haag, Splunk", "date": "2022-03-30", "version": 1, "id": "d0a9323f-9411-4da6-86b2-18c184d750c0", "description": "Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components.", "narrative": "A rootkit on Windows may sometimes be in the form of a Windows Driver. A driver typically has a file extension of .sys, however the internals of a sys file is similar to a Windows DLL. For Microsoft Windows to load a driver, a few requirements are needed. First, it must have a valid signature. Second, typically it should load from the windows\\system32\\drivers path. There are a few methods to investigate drivers in the environment. Drivers are noisy. An inventory of all drivers is important to understand prevalence. A driver location (Path) is also important when attempting to baseline. Looking at a driver name and path is not enough, we must also explore the signing information. Product, description, company name, signer and signing result are all items to take into account when reviewing drivers. What makes a driver malicious? Depending if a driver was dropped during a campaign or you are baselining drivers after, triaging a driver to determine maliciousness may be tough. We break this into two categories - 1. vulnerable drivers 2. driver rootkits. Attempt to identify prevelance of the driver. Is it on one or many? Review the signing information if it is present. Is it common? A lot of driver hunting will lead down rabbit holes, but we hope to help lead the way.", "references": ["https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/", "https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf", "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/"], "tags": {"name": "Windows Drivers", "analytic_story": "Windows Drivers", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1014", "mitre_attack_technique": "Rootkit", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT41", "Rocke", "TeamTNT", "Winnti Group"]}, {"mitre_attack_id": "T1553.004", "mitre_attack_technique": "Install Root Certificate", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1553", "mitre_attack_technique": "Subvert Trust Controls", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Axiom"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Windows Driver Inventory - Rule", "ESCU - Windows Driver Load Non-Standard Path - Rule", "ESCU - Windows Drivers Loaded by Signature - Rule", "ESCU - Windows Registry Certificate Added - Rule", "ESCU - Windows Registry Modification for Safe Mode Persistence - Rule", "ESCU - Windows Service Create Kernel Mode Driver - Rule", "ESCU - Windows System File on Disk - Rule", "ESCU - Windows Vulnerable Driver Loaded - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Windows Driver Inventory", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "Windows Driver Load Non-Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rootkit"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "Windows Drivers Loaded by Signature", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rootkit"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "Windows Registry Certificate Added", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Install Root Certificate"}, {"mitre_attack_technique": "Subvert Trust Controls"}]}}, {"name": "Windows Registry Modification for Safe Mode Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Windows Service Create Kernel Mode Driver", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "Windows System File on Disk", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "Windows Vulnerable Driver Loaded", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}]}}]}, {"name": "Windows Error Reporting Service Elevation of Privilege Vulnerability", "author": "Michael Haag, Splunk", "date": "2023-08-24", "version": 1, "id": "64dea1e5-2c60-461f-b886-05580ed89b5c", "description": "In July 2023, CrowdStrike's Falcon Complete managed detection and response (MDR) team uncovered an exploit kit using an unknown vulnerability in the Windows Error Reporting (WER) component. The vulnerability, now identified as CVE-2023-36874, was also independently discovered by Google's Threat Analysis Group. The exploit came to light when suspicious binaries were observed on a European technology system. CrowdStrike's Counter Adversary Operations' analysis revealed a zero-day exploit targeting the WER service, allowing attackers to execute unauthorized code with elevated privileges. The exploit kit seen aimed to spawn a privileged interpreter, displaying the versatility and adaptability of the threat. CrowdStrike has listed some potential indicators of compromise, but these are of low fidelity due to their mutable nature.", "narrative": "In June 2023, CrowdStrike's Falcon Complete team observed suspicious activities on a European technology entity's system. Multiple binaries were dropped onto the system via Remote Desktop Protocol (RDP), some of which were flagged as potential exploits for a known vulnerability. However, a string containing the Russian term for \"0day\" suggested an unknown vulnerability was at play. Subsequent investigations identified this as a zero-day vulnerability affecting the Windows Error Reporting (WER) component, now known as CVE-2023-36874. \\\nThe WER service's function is to report software issues on Windows hosts. The exploit centered around manipulating the WER service by redirecting file systems to execute attacker-controlled code with elevated privileges. This was achieved by creating a symbolic link redirection from the C:\\ drive to an attacker-controlled directory, and then triggering certain WER functions. Consequently, an unauthorized executable was run instead of the legitimate one, giving the attacker high-level access. \\\nThe observed exploit kit's primary objective was to initiate a privileged interpreter, such as cmd.exe or powershell_ise.exe. If this couldn't be achieved, a privileged scheduled task was created as an alternative. The exploit kit showcased a range of binaries, some packed and others not, some in C++ and others in pure C. This diversity suggests the knowledge of the vulnerability was likely shared among different developers. \\\nCrowdStrike's Counter Adversary Operations, as of now, hasn't linked this activity to any specific threat actor. They've provided potential indicators of compromise, but caution that these are easily changed, indicating the advanced capabilities of the adversaries.", "references": ["https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/"], "tags": {"name": "Windows Error Reporting Service Elevation of Privilege Vulnerability", "analytic_story": "Windows Error Reporting Service Elevation of Privilege Vulnerability", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - Windows Process Injection Wermgr Child Process - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Windows Process Injection Wermgr Child Process", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}]}, {"name": "Windows File Extension and Association Abuse", "author": "Rico Valdez, Splunk", "date": "2018-01-26", "version": 1, "id": "30552a76-ac78-48e4-b3c0-de4e34e9563d", "description": "Detect and investigate suspected abuse of file extensions and Windows file associations. Some of the malicious behaviors involved may include inserting spaces before file extensions or prepending the file extension with a different one, among other techniques.", "narrative": "Attackers use a variety of techniques to entice users to run malicious code or to persist on an endpoint. One way to accomplish these goals is to leverage file extensions and the mechanism Windows uses to associate files with specific applications. \\\n Since its earliest days, Windows has used extensions to identify file types. Users have become familiar with these extensions and their application associations. For example, if users see that a file ends in `.doc` or `.docx`, they will assume that it is a Microsoft Word document and expect that double-clicking will open it using `winword.exe`. The user will typically also presume that the `.docx` file is safe. \\\n Attackers take advantage of this expectation by obfuscating the true file extension. They can accomplish this in a couple of ways. One technique involves inserting multiple spaces in the file name before the extension to hide the extension from the GUI, obscuring the true nature of the file. Another approach involves prepending the real extension with a different one. This is especially effective when Windows is configured to \"hide extensions for known file types.\" In this case, the real extension is not displayed, but the prepended one is, leading end users to believe the file is a different type than it actually is.\\\nChanging the association between a file extension and an application can allow an attacker to execute arbitrary code. The technique typically involves changing the association for an often-launched file type to associate instead with a malicious program the attacker has dropped on the endpoint. When the end user launches a file that has been manipulated in this way, it will execute the attacker's malware. It will also execute the application the end user expected to run, cleverly obscuring the fact that something suspicious has occurred.\\\nRun the searches in this story to detect and investigate suspicious behavior that may indicate abuse or manipulation of Windows file extensions and/or associations.", "references": ["https://blog.malwarebytes.com/cybercrime/2013/12/file-extensions-2/", "https://attack.mitre.org/wiki/Technique/T1042"], "tags": {"name": "Windows File Extension and Association Abuse", "analytic_story": "Windows File Extension and Association Abuse", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}], "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Execution of File With Spaces Before Extension - Rule", "ESCU - Suspicious Changes to File Associations - Rule", "ESCU - Execution of File with Multiple Extensions - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Execution of File With Spaces Before Extension", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Suspicious Changes to File Associations", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Change Default File Association"}]}}, {"name": "Execution of File with Multiple Extensions", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}}]}, {"name": "Windows Log Manipulation", "author": "Rico Valdez, Splunk", "date": "2017-09-12", "version": 2, "id": "b6db2c60-a281-48b4-95f1-2cd99ed56835", "description": "Adversaries often try to cover their tracks by manipulating Windows logs. Use these searches to help you monitor for suspicious activity surrounding log files--an essential component of an effective defense.", "narrative": "Because attackers often modify system logs to cover their tracks and/or to thwart the investigative process, log monitoring is an industry-recognized best practice. While there are legitimate reasons to manipulate system logs, it is still worthwhile to keep track of who manipulated the logs, when they manipulated them, and in what way they manipulated them (determining which accesses, tools, or utilities were employed). Even if no malicious activity is detected, the knowledge of an attempt to manipulate system logs may be indicative of a broader security risk that should be thoroughly investigated.\\\nThe Analytic Story gives users two different ways to detect manipulation of Windows Event Logs and one way to detect deletion of the Update Sequence Number (USN) Change Journal. The story helps determine the history of the host and the users who have accessed it. Finally, the story aides in investigation by retrieving all the information on the process that caused these events (if the process has been identified).", "references": ["https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", "https://zeltser.com/security-incident-log-review-checklist/", "http://journeyintoir.blogspot.com/2013/01/re-introducing-usnjrnl.html"], "tags": {"name": "Windows Log Manipulation", "analytic_story": "Windows Log Manipulation", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1070.001", "mitre_attack_technique": "Clear Windows Event Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "APT38", "APT41", "Chimera", "Dragonfly", "FIN5", "FIN8", "Indrik Spider"]}], "mitre_attack_tactics": ["Defense Evasion", "Impact"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"]}, "detection_names": ["ESCU - Deleting Shadow Copies - Rule", "ESCU - Suspicious Event Log Service Behavior - Rule", "ESCU - Suspicious wevtutil Usage - Rule", "ESCU - USN Journal Deletion - Rule", "ESCU - Windows Event Log Cleared - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Suspicious Event Log Service Behavior", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}}, {"name": "Suspicious wevtutil Usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Clear Windows Event Logs"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "USN Journal Deletion", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Windows Event Log Cleared", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}}]}, {"name": "Windows Persistence Techniques", "author": "Bhavin Patel, Splunk", "date": "2018-05-31", "version": 2, "id": "30874d4f-20a1-488f-85ec-5d52ef74e3f9", "description": "Monitor for activities and techniques associated with maintaining persistence on a Windows system--a sign that an adversary may have compromised your environment.", "narrative": "Maintaining persistence is one of the first steps taken by attackers after the initial compromise. Attackers leverage various custom and built-in tools to ensure survivability and persistent access within a compromised enterprise. This Analytic Story provides searches to help you identify various behaviors used by attackers to maintain persistent access to a Windows environment.", "references": ["http://www.fuzzysecurity.com/tutorials/19.html", "https://www.fireeye.com/blog/threat-research/2010/07/malware-persistence-windows-registry.html", "http://resources.infosecinstitute.com/common-malware-persistence-mechanisms/", "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", "https://www.youtube.com/watch?v=dq2Hv7J9fvk"], "tags": {"name": "Windows Persistence Techniques", "analytic_story": "Windows Persistence Techniques", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1564.001", "mitre_attack_technique": "Hidden Files and Directories", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "FIN13", "HAFNIUM", "Lazarus Group", "LuminousMoth", "Mustang Panda", "Rocke", "Transparent Tribe", "Tropic Trooper"]}, {"mitre_attack_id": "T1547.014", "mitre_attack_technique": "Active Setup", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1574.009", "mitre_attack_technique": "Path Interception by Unquoted Path", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1562.006", "mitre_attack_technique": "Indicator Blocking", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1222.001", "mitre_attack_technique": "Windows File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1037", "mitre_attack_technique": "Boot or Logon Initialization Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "Rocke"]}, {"mitre_attack_id": "T1037.001", "mitre_attack_technique": "Logon Script (Windows)", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "Cobalt Group"]}, {"mitre_attack_id": "T1547.010", "mitre_attack_technique": "Port Monitors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1547.012", "mitre_attack_technique": "Print Processors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1546.011", "mitre_attack_technique": "Application Shimming", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["FIN7"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1546.002", "mitre_attack_technique": "Screensaver", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1547.003", "mitre_attack_technique": "Time Providers", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1134.005", "mitre_attack_technique": "SID-History Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1546.012", "mitre_attack_technique": "Image File Execution Options Injection", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["TEMP.Veles"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA2541", "TA551"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Reg exe used to hide files directories via registry keys - Rule", "ESCU - Remote Registry Key modifications - Rule", "ESCU - Active Setup Registry Autostart - Rule", "ESCU - Certutil exe certificate extraction - Rule", "ESCU - Change Default File Association - Rule", "ESCU - Detect Path Interception By Creation Of program exe - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Hiding Files And Directories With Attrib exe - Rule", "ESCU - Logon Script Event Trigger Execution - Rule", "ESCU - Monitor Registry Keys for Print Monitors - Rule", "ESCU - Print Processor Registry Autostart - Rule", "ESCU - Reg exe Manipulating Windows Services Registry Keys - Rule", "ESCU - Registry Keys for Creating SHIM Databases - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Schedule Task with HTTP Command Arguments - Rule", "ESCU - Schedule Task with Rundll32 Command Trigger - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks used for forcing a reboot - Rule", "ESCU - Screensaver Event Trigger Execution - Rule", "ESCU - Shim Database File Creation - Rule", "ESCU - Shim Database Installation With Suspicious Parameters - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Time Provider Persistence Registry - Rule", "ESCU - Windows AD DSRM Account Changes - Rule", "ESCU - Windows AD Same Domain SID History Addition - Rule", "ESCU - Windows Event Triggered Image File Execution Options Injection - Rule", "ESCU - Windows Mshta Execution In Registry - Rule", "ESCU - Windows Registry Delete Task SD - Rule", "ESCU - Windows Scheduled Task Service Spawned Shell - Rule", "ESCU - Windows Schtasks Create Run As System - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Reg exe used to hide files directories via registry keys", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hidden Files and Directories"}]}}, {"name": "Remote Registry Key modifications", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "Active Setup Registry Autostart", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Active Setup"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Certutil exe certificate extraction", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "Change Default File Association", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Change Default File Association"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Detect Path Interception By Creation Of program exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Path Interception by Unquoted Path"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "ETW Registry Disabled", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Blocking"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Hiding Files And Directories With Attrib exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "Windows File and Directory Permissions Modification"}]}}, {"name": "Logon Script Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Boot or Logon Initialization Scripts"}, {"mitre_attack_technique": "Logon Script (Windows)"}]}}, {"name": "Monitor Registry Keys for Print Monitors", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Port Monitors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Print Processor Registry Autostart", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Reg exe Manipulating Windows Services Registry Keys", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Registry Keys for Creating SHIM Databases", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Application Shimming"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Schedule Task with HTTP Command Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Schedule Task with Rundll32 Command Trigger", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Schtasks used for forcing a reboot", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Screensaver Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Screensaver"}]}}, {"name": "Shim Database File Creation", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Application Shimming"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Shim Database Installation With Suspicious Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Application Shimming"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Time Provider Persistence Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Time Providers"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Windows AD DSRM Account Changes", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Windows AD Same Domain SID History Addition", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SID-History Injection"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}, {"name": "Windows Event Triggered Image File Execution Options Injection", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Image File Execution Options Injection"}]}}, {"name": "Windows Mshta Execution In Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Mshta"}]}}, {"name": "Windows Registry Delete Task SD", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Scheduled Task Service Spawned Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows Schtasks Create Run As System", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}]}}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}]}, {"name": "Windows Post-Exploitation", "author": "Teoderick Contreras, Splunk", "date": "2022-11-30", "version": 1, "id": "992899b7-a5cf-4bcd-bb0d-cf81762188ba", "description": "This analytic story identifies popular Windows post exploitation tools for example winpeas.bat, winpeas.exe, WinPrivCheck.bat and many more.", "narrative": "These tools allow operators to find possible exploits or paths for privilege escalation and persistence on a targeted host. Ransomware operator like the \"Prestige ransomware\" also used or abuses these post exploitation tools such as winPEAS to scan for possible avenue to gain privileges and persistence to a targeted Windows Operating System.", "references": ["https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"name": "Windows Post-Exploitation", "analytic_story": "Windows Post-Exploitation", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1070.005", "mitre_attack_technique": "Network Share Connection Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Threat Group-3390"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "FIN13", "TA505"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "FIN7", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla", "Volt Typhoon"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1531", "mitre_attack_technique": "Account Access Removal", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1016.001", "mitre_attack_technique": "Internet Connection Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT29", "FIN13", "FIN8", "Gamaredon Group", "HAFNIUM", "HEXANE", "Magic Hound", "TA2541", "Turla"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1003.005", "mitre_attack_technique": "Cached Domain Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "Leafminer", "MuddyWater", "OilRig"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1115", "mitre_attack_technique": "Clipboard Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT38", "APT39"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1552.002", "mitre_attack_technique": "Credentials in Registry", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT32"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1202", "mitre_attack_technique": "Indirect Command Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "FIN13", "FIN8", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TA2541", "TeamTNT", "Tropic Trooper", "Turla", "Volt Typhoon", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}, {"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "Volt Typhoon", "ZIRCONIUM"]}, {"mitre_attack_id": "T1555.005", "mitre_attack_technique": "Password Managers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Fox Kitten", "LAPSUS$", "Threat Group-3390"]}, {"mitre_attack_id": "T1552.004", "mitre_attack_technique": "Private Keys", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1547.005", "mitre_attack_technique": "Security Support Provider", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Collection", "Credential Access", "Defense Evasion", "Discovery", "Execution", "Impact", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - Create or delete windows shares using net exe - Rule", "ESCU - Domain Group Discovery With Net - Rule", "ESCU - Excessive Usage Of Cacls App - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Connection Discovery With Net - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Network Discovery Using Route Windows App - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Windows Cached Domain Credentials Reg Query - Rule", "ESCU - Windows ClipBoard Data via Get-ClipBoard - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows Credentials from Password Stores Query - Rule", "ESCU - Windows Credentials in Registry Reg Query - Rule", "ESCU - Windows Indirect Command Execution Via forfiles - Rule", "ESCU - Windows Indirect Command Execution Via Series Of Forfiles - Rule", "ESCU - Windows Information Discovery Fsutil - Rule", "ESCU - Windows Modify Registry Reg Restore - Rule", "ESCU - Windows Password Managers Discovery - Rule", "ESCU - Windows Post Exploitation Risk Behavior - Rule", "ESCU - Windows Private Keys Discovery - Rule", "ESCU - Windows Query Registry Reg Save - Rule", "ESCU - Windows Security Support Provider Reg Query - Rule", "ESCU - Windows Steal or Forge Kerberos Tickets Klist - Rule", "ESCU - Windows System Network Config Discovery Display DNS - Rule", "ESCU - Windows System Network Connections Discovery Netsh - Rule", "ESCU - Windows System User Discovery Via Quser - Rule", "ESCU - Windows WMI Process And Service List - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Create or delete windows shares using net exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Network Share Connection Removal"}]}}, {"name": "Domain Group Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "Excessive Usage Of Cacls App", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Access Removal"}]}}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}}, {"name": "Network Connection Discovery With Arp", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Network Connection Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Network Discovery Using Route Windows App", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Internet Connection Discovery"}]}}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}]}}, {"name": "Windows Cached Domain Credentials Reg Query", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cached Domain Credentials"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows ClipBoard Data via Get-ClipBoard", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Clipboard Data"}]}}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "System Network Connections Discovery"}, {"mitre_attack_technique": "System Owner/User Discovery"}, {"mitre_attack_technique": "System Shutdown/Reboot"}, {"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows Credentials from Password Stores Query", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}]}}, {"name": "Windows Credentials in Registry Reg Query", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials in Registry"}, {"mitre_attack_technique": "Unsecured Credentials"}]}}, {"name": "Windows Indirect Command Execution Via forfiles", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indirect Command Execution"}]}}, {"name": "Windows Indirect Command Execution Via Series Of Forfiles", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indirect Command Execution"}]}}, {"name": "Windows Information Discovery Fsutil", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Information Discovery"}]}}, {"name": "Windows Modify Registry Reg Restore", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows Password Managers Discovery", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Managers"}]}}, {"name": "Windows Post Exploitation Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}, {"mitre_attack_technique": "System Network Connections Discovery"}, {"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "System Information Discovery"}, {"mitre_attack_technique": "Clipboard Data"}, {"mitre_attack_technique": "Unsecured Credentials"}]}}, {"name": "Windows Private Keys Discovery", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Private Keys"}, {"mitre_attack_technique": "Unsecured Credentials"}]}}, {"name": "Windows Query Registry Reg Save", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows Security Support Provider Reg Query", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Support Provider"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Windows Steal or Forge Kerberos Tickets Klist", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}}, {"name": "Windows System Network Config Discovery Display DNS", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Configuration Discovery"}]}}, {"name": "Windows System Network Connections Discovery Netsh", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Windows System User Discovery Via Quser", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Owner/User Discovery"}]}}, {"name": "Windows WMI Process And Service List", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}]}, {"name": "Windows Privilege Escalation", "author": "David Dorsey, Splunk", "date": "2020-02-04", "version": 2, "id": "644e22d3-598a-429c-a007-16fdb802cae5", "description": "Monitor for and investigate activities that may be associated with a Windows privilege-escalation attack, including unusual processes running on endpoints, modified registry keys, and more.", "narrative": "Privilege escalation is a \"land-and-expand\" technique, wherein an adversary gains an initial foothold on a host and then exploits its weaknesses to increase his privileges. The motivation is simple: certain actions on a Windows machine--such as installing software--may require higher-level privileges than those the attacker initially acquired. By increasing his privilege level, the attacker can gain the control required to carry out his malicious ends. This Analytic Story provides searches to detect and investigate behaviors that attackers may use to elevate their privileges in your environment.", "references": ["https://attack.mitre.org/tactics/TA0004/"], "tags": {"name": "Windows Privilege Escalation", "analytic_story": "Windows Privilege Escalation", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1547.014", "mitre_attack_technique": "Active Setup", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1562.006", "mitre_attack_technique": "Indicator Blocking", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1037", "mitre_attack_technique": "Boot or Logon Initialization Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "Rocke"]}, {"mitre_attack_id": "T1037.001", "mitre_attack_technique": "Logon Script (Windows)", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "Cobalt Group"]}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1546.008", "mitre_attack_technique": "Accessibility Features", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT3", "APT41", "Axiom", "Deep Panda", "Fox Kitten"]}, {"mitre_attack_id": "T1547.012", "mitre_attack_technique": "Print Processors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1546.012", "mitre_attack_technique": "Image File Execution Options Injection", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["TEMP.Veles"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1134.001", "mitre_attack_technique": "Token Impersonation/Theft", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "FIN8"]}, {"mitre_attack_id": "T1546.002", "mitre_attack_technique": "Screensaver", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1547.003", "mitre_attack_technique": "Time Providers", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Execution", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Uncommon Processes On Endpoint - Rule", "ESCU - Active Setup Registry Autostart - Rule", "ESCU - Change Default File Association - Rule", "ESCU - Child Processes of Spoolsv exe - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Kerberoasting spn request with RC4 encryption - Rule", "ESCU - Logon Script Event Trigger Execution - Rule", "ESCU - MSI Module Loaded by Non-System Binary - Rule", "ESCU - Overwriting Accessibility Binaries - Rule", "ESCU - Print Processor Registry Autostart - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule", "ESCU - Runas Execution in CommandLine - Rule", "ESCU - Screensaver Event Trigger Execution - Rule", "ESCU - Time Provider Persistence Registry - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Uncommon Processes On Endpoint", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Malicious File"}]}}, {"name": "Active Setup Registry Autostart", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Active Setup"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Change Default File Association", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Change Default File Association"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Child Processes of Spoolsv exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "ETW Registry Disabled", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Blocking"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Kerberoasting spn request with RC4 encryption", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "Logon Script Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Boot or Logon Initialization Scripts"}, {"mitre_attack_technique": "Logon Script (Windows)"}]}}, {"name": "MSI Module Loaded by Non-System Binary", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Overwriting Accessibility Binaries", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Accessibility Features"}]}}, {"name": "Print Processor Registry Autostart", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Registry Keys Used For Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Image File Execution Options Injection"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Runas Execution in CommandLine", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Access Token Manipulation"}, {"mitre_attack_technique": "Token Impersonation/Theft"}]}}, {"name": "Screensaver Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Screensaver"}]}}, {"name": "Time Provider Persistence Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Time Providers"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}]}, {"name": "Windows Registry Abuse", "author": "Teoderick Contreras, Splunk", "date": "2022-03-17", "version": 1, "id": "78df1df1-25f1-4387-90f9-c4ea31ce6b75", "description": "Windows services are often used by attackers for persistence, privilege escalation, lateral movement, defense evasion, collection of data, a tool for recon, credential dumping and payload impact. This Analytic Story helps you monitor your environment for indications that Windows registry are being modified or created in a suspicious manner.", "narrative": "Windows Registry is one of the powerful and yet still mysterious Windows features that can tweak or manipulate Windows policies and low-level configuration settings. Because of this capability,  most malware, adversaries or threat actors abuse this hierarchical database to do their malicious intent on a targeted host or network environment. In these cases, attackers often use tools to create or modify registry in ways that are not typical for most environments, providing opportunities for detection.", "references": ["https://attack.mitre.org/techniques/T1112/", "https://redcanary.com/blog/windows-registry-attacks-threat-detection/"], "tags": {"name": "Windows Registry Abuse", "analytic_story": "Windows Registry Abuse", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1552.002", "mitre_attack_technique": "Credentials in Registry", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT32"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1564.001", "mitre_attack_technique": "Hidden Files and Directories", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "FIN13", "HAFNIUM", "Lazarus Group", "LuminousMoth", "Mustang Panda", "Rocke", "Transparent Tribe", "Tropic Trooper"]}, {"mitre_attack_id": "T1564", "mitre_attack_technique": "Hide Artifacts", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1562.006", "mitre_attack_technique": "Indicator Blocking", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1491", "mitre_attack_technique": "Defacement", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1547.010", "mitre_attack_technique": "Port Monitors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1546.011", "mitre_attack_technique": "Application Shimming", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["FIN7"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1546.012", "mitre_attack_technique": "Image File Execution Options Injection", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["TEMP.Veles"]}, {"mitre_attack_id": "T1546.002", "mitre_attack_technique": "Screensaver", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1547.003", "mitre_attack_technique": "Time Providers", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1547.008", "mitre_attack_technique": "LSASS Driver", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1553.004", "mitre_attack_technique": "Install Root Certificate", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1553", "mitre_attack_technique": "Subvert Trust Controls", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Axiom"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Execution", "Impact", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule", "ESCU - Allow Operation with Consent Admin - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - Auto Admin Logon Registry Entry - Rule", "ESCU - Change Default File Association - Rule", "ESCU - Disable AMSI Through Registry - Rule", "ESCU - Disable Defender AntiVirus Registry - Rule", "ESCU - Disable Defender BlockAtFirstSeen Feature - Rule", "ESCU - Disable Defender Enhanced Notification - Rule", "ESCU - Disable Defender MpEngine Registry - Rule", "ESCU - Disable Defender Spynet Reporting - Rule", "ESCU - Disable Defender Submit Samples Consent Feature - Rule", "ESCU - Disable ETW Through Registry - Rule", "ESCU - Disable Registry Tool - Rule", "ESCU - Disable Security Logs Using MiniNt Registry - Rule", "ESCU - Disable Show Hidden Files - Rule", "ESCU - Disable UAC Remote Restriction - Rule", "ESCU - Disable Windows App Hotkeys - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Disable Windows SmartScreen Protection - Rule", "ESCU - Disabling CMD Application - Rule", "ESCU - Disabling ControlPanel - Rule", "ESCU - Disabling Defender Services - Rule", "ESCU - Disabling FolderOptions Windows Feature - Rule", "ESCU - Disabling NoRun Windows App - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Disabling SystemRestore In Registry - Rule", "ESCU - Disabling Task Manager - Rule", "ESCU - Disabling Windows Local Security Authority Defences via Registry - Rule", "ESCU - Enable RDP In Other Port Number - Rule", "ESCU - Enable WDigest UseLogonCredential Registry - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Eventvwr UAC Bypass - Rule", "ESCU - Hide User Account From Sign-In Screen - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Monitor Registry Keys for Print Monitors - Rule", "ESCU - Registry Keys for Creating SHIM Databases - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule", "ESCU - Remcos client registry install entry - Rule", "ESCU - Revil Registry Entry - Rule", "ESCU - Screensaver Event Trigger Execution - Rule", "ESCU - Sdclt UAC Bypass - Rule", "ESCU - SilentCleanup UAC Bypass - Rule", "ESCU - Time Provider Persistence Registry - Rule", "ESCU - Windows AD DSRM Account Changes - Rule", "ESCU - Windows Autostart Execution LSASS Driver Registry Modification - Rule", "ESCU - Windows Disable Lock Workstation Feature Through Registry - Rule", "ESCU - Windows Disable LogOff Button Through Registry - Rule", "ESCU - Windows Disable Memory Crash Dump - Rule", "ESCU - Windows Disable Notification Center - Rule", "ESCU - Windows Disable Shutdown Button Through Registry - Rule", "ESCU - Windows Disable Windows Group Policy Features Through Registry - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows Hide Notification Features Through Registry - Rule", "ESCU - Windows Impair Defense Delete Win Defender Context Menu - Rule", "ESCU - Windows Impair Defense Delete Win Defender Profile Registry - Rule", "ESCU - Windows Impair Defenses Disable HVCI - Rule", "ESCU - Windows Impair Defenses Disable Win Defender Auto Logging - Rule", "ESCU - Windows Modify Registry Risk Behavior - Rule", "ESCU - Windows Modify Show Compress Color And Info Tip Registry - Rule", "ESCU - Windows Registry Certificate Added - Rule", "ESCU - Windows Registry Delete Task SD - Rule", "ESCU - Windows Registry Modification for Safe Mode Persistence - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - WSReset UAC Bypass - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Allow Inbound Traffic By Firewall Rule Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "Allow Operation with Consent Admin", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Attempted Credential Dump From Registry via Reg exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Auto Admin Logon Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials in Registry"}, {"mitre_attack_technique": "Unsecured Credentials"}]}}, {"name": "Change Default File Association", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Change Default File Association"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Disable AMSI Through Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender AntiVirus Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender BlockAtFirstSeen Feature", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender Enhanced Notification", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender MpEngine Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender Spynet Reporting", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender Submit Samples Consent Feature", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable ETW Through Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Registry Tool", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Disable Security Logs Using MiniNt Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Disable Show Hidden Files", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hidden Files and Directories"}, {"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Hide Artifacts"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Disable UAC Remote Restriction", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Disable Windows App Hotkeys", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Windows SmartScreen Protection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disabling CMD Application", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Disabling ControlPanel", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Disabling Defender Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disabling FolderOptions Windows Feature", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disabling NoRun Windows App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Disabling Remote User Account Control", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Disabling SystemRestore In Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Disabling Task Manager", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disabling Windows Local Security Authority Defences via Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Authentication Process"}]}}, {"name": "Enable RDP In Other Port Number", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}]}}, {"name": "Enable WDigest UseLogonCredential Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "ETW Registry Disabled", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Blocking"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Eventvwr UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Hide User Account From Sign-In Screen", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Defacement"}]}}, {"name": "Monitor Registry Keys for Print Monitors", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Port Monitors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Registry Keys for Creating SHIM Databases", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Application Shimming"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Registry Keys Used For Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Image File Execution Options Injection"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Remcos client registry install entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Revil Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Screensaver Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Screensaver"}]}}, {"name": "Sdclt UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "SilentCleanup UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Time Provider Persistence Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Time Providers"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Windows AD DSRM Account Changes", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Windows Autostart Execution LSASS Driver Registry Modification", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Driver"}]}}, {"name": "Windows Disable Lock Workstation Feature Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Disable LogOff Button Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Disable Memory Crash Dump", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Windows Disable Notification Center", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Disable Shutdown Button Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Disable Windows Group Policy Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Hide Notification Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Impair Defense Delete Win Defender Context Menu", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Impair Defense Delete Win Defender Profile Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Impair Defenses Disable HVCI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Impair Defenses Disable Win Defender Auto Logging", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Modify Registry Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Show Compress Color And Info Tip Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Registry Certificate Added", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Install Root Certificate"}, {"mitre_attack_technique": "Subvert Trust Controls"}]}}, {"name": "Windows Registry Delete Task SD", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Registry Modification for Safe Mode Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}]}}, {"name": "WSReset UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}]}, {"name": "Windows Service Abuse", "author": "Rico Valdez, Splunk", "date": "2017-11-02", "version": 3, "id": "6dbd810e-f66d-414b-8dfc-e46de55cbfe2", "description": "Windows services are often used by attackers for persistence and the ability to load drivers or otherwise interact with the Windows kernel. This Analytic Story helps you monitor your environment for indications that Windows services are being modified or created in a suspicious manner.", "narrative": "The Windows operating system uses a services architecture to allow for running code in the background, similar to a UNIX daemon. Attackers will often leverage Windows services for persistence, hiding in plain sight, seeking the ability to run privileged code that can interact with the kernel. In many cases, attackers will create a new service to host their malicious code. Attackers have also been observed modifying unnecessary or unused services to point to their own code, as opposed to what was intended. In these cases, attackers often use tools to create or modify services in ways that are not typical for most environments, providing opportunities for detection.", "references": ["https://attack.mitre.org/wiki/Technique/T1050", "https://attack.mitre.org/wiki/Technique/T1031"], "tags": {"name": "Windows Service Abuse", "analytic_story": "Windows Service Abuse", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - First Time Seen Running Windows Service - Rule", "ESCU - Reg exe Manipulating Windows Services Registry Keys - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": ["ESCU - Previously Seen Running Windows Services - Initial", "ESCU - Previously Seen Running Windows Services - Update"], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "First Time Seen Running Windows Service", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Reg exe Manipulating Windows Services Registry Keys", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}]}, {"name": "Windows System Binary Proxy Execution MSIExec", "author": "Michael Haag, Splunk", "date": "2022-06-16", "version": 1, "id": "bea2e16b-4599-46ad-a95b-116078726c68", "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).", "narrative": "Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs. Since it may be signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the AlwaysInstallElevated policy is enabled.", "references": ["https://attack.mitre.org/techniques/T1218/007/"], "tags": {"name": "Windows System Binary Proxy Execution MSIExec", "analytic_story": "Windows System Binary Proxy Execution MSIExec", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.007", "mitre_attack_technique": "Msiexec", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Machete", "Molerats", "Rancor", "TA505", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Windows MSIExec DLLRegisterServer - Rule", "ESCU - Windows MSIExec Remote Download - Rule", "ESCU - Windows MSIExec Spawn Discovery Command - Rule", "ESCU - Windows MSIExec Unregister DLLRegisterServer - Rule", "ESCU - Windows MSIExec With Network Connections - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows MSIExec DLLRegisterServer", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Msiexec"}]}}, {"name": "Windows MSIExec Remote Download", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Msiexec"}]}}, {"name": "Windows MSIExec Spawn Discovery Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Msiexec"}]}}, {"name": "Windows MSIExec Unregister DLLRegisterServer", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Msiexec"}]}}, {"name": "Windows MSIExec With Network Connections", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Msiexec"}]}}]}, {"name": "WinRAR Spoofing Attack CVE-2023-38831", "author": "Michael Haag, Splunk", "date": "2023-08-29", "version": 1, "id": "9ba776f3-b8c5-4390-a312-6dab6c5561b9", "description": "Group-IB Threat Intelligence unit discovered a zero-day vulnerability, CVE-2023-38831, in WinRAR, a popular compression tool. Cybercriminals exploited this vulnerability to deliver various malware families, including DarkMe and GuLoader, by crafting ZIP archives with spoofed extensions, which were then distributed on trading forums. Once the malware was executed, it allowed cybercriminals to withdraw funds from brokers' accounts. RARLAB was immediately notified about the vulnerability and released a patch. Group-IB recommends users update WinRAR to the latest version, stay informed about cyber threats, be cautious with unknown attachments, enable 2FA, backup data, and follow the principle of least privilege.", "narrative": "Group-IB Threat Intelligence unit identified a critical zero-day vulnerability, CVE-2023-38831, in WinRAR, a widely used compression tool. This vulnerability was exploited by cybercriminals to craft ZIP archives containing malicious and non-malicious files, distributed on specialized trading forums. The exploit allowed them to spoof file extensions, hiding the launch of malicious scripts within an archive masquerading as a '.jpg', '.txt', or any other file format. When victims opened the specially crafted archive, it executed the malware, leading to unauthorized access to their broker accounts and enabling the cybercriminals to perform illicit financial transactions and withdraw funds. \\\nThe vulnerability was discovered while researching the spread of DarkMe malware, a VisualBasic spy Trojan attributed to the financially motivated group, Evilnum. The malware was distributed alongside other malware families, such as GuLoader and Remcos RAT, via malicious ZIP archives posted on popular trading forums or distributed via file-sharing services. Despite efforts by forum administrators to warn users and disable threat actors' accounts, the cybercriminals continued to spread the malicious files, compromising devices, and leading to financial losses. \\\nGroup-IB immediately notified RARLAB about the vulnerability, and they promptly responded by issuing a patch. The beta version of the patch was released on July 20, 2023, and the final updated version, WinRAR 6.23, was released on August 2, 2023. Group-IB recommends all users install the latest version of WinRAR to mitigate the risk of exploitation. \\\nIn conclusion, the exploitation of the CVE-2023-38831 vulnerability highlights the constant risks associated with software vulnerabilities and the importance of remaining vigilant, keeping systems updated, and following security guidelines to avoid falling victim to such attacks. Collaboration between security researchers and software developers is essential to quickly identify and fix vulnerabilities, making it harder for cybercriminals to exploit them.", "references": ["https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/", "https://nvd.nist.gov/vuln/detail/CVE-2023-38831"], "tags": {"name": "WinRAR Spoofing Attack CVE-2023-38831", "analytic_story": "WinRAR Spoofing Attack CVE-2023-38831", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}], "mitre_attack_tactics": ["Command And Control"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command And Control"]}, "detection_names": ["ESCU - WinRAR Spawning Shell Application - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "WinRAR Spawning Shell Application", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}]}, {"name": "Winter Vivern", "author": "Teoderick Contreras, Splunk", "date": "2023-02-16", "version": 1, "id": "5ce5f311-b311-4568-90ca-0c36781d07a4", "description": "Utilize searches that enable you to detect and investigate unusual activities potentially related to the Winter Vivern malicious software. This includes examining multiple timeout executions, scheduled task creations, screenshots, and downloading files through PowerShell, among other indicators.", "narrative": "The Winter Vivern malware, identified by CERT UA, is designed to download and run multiple PowerShell scripts on targeted hosts. These scripts aim to gather a variety of files with specific extensions, including (.edb, .ems, .eme, .emz, .key, .pem, .ovpn, .bat, .cer, .p12, .cfg, .log, .txt, .pdf, .doc, .docx, .xls, .xlsx, and .rdg), primarily from desktop directories. In addition to this, the malware captures desktop screenshots and performs data exfiltration using HTTP. To maintain its presence on the targeted host, Winter Vivern also establishes a persistence mechanism, such as creating a scheduled task.", "references": ["https://cert.gov.ua/article/3761023"], "tags": {"name": "Winter Vivern", "analytic_story": "Winter Vivern", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1041", "mitre_attack_technique": "Exfiltration Over C2 Channel", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Chimera", "Confucius", "GALLIUM", "Gamaredon Group", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "LuminousMoth", "MuddyWater", "Sandworm Team", "Stealth Falcon", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1113", "mitre_attack_technique": "Screen Capture", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT39", "BRONZE BUTLER", "Dark Caracal", "Dragonfly", "FIN7", "GOLD SOUTHFIELD", "Gamaredon Group", "Group5", "Magic Hound", "MoustachedBouncer", "MuddyWater", "OilRig", "Silence"]}], "mitre_attack_tactics": ["Collection", "Command And Control", "Defense Evasion", "Discovery", "Execution", "Exfiltration", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Any Powershell DownloadString - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - GetWmiObject User Account with PowerShell - Rule", "ESCU - GetWmiObject User Account with PowerShell Script Block - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Schedule Task with HTTP Command Arguments - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - System User Discovery With Whoami - Rule", "ESCU - Windows Exfiltration Over C2 Via Invoke RestMethod - Rule", "ESCU - Windows Exfiltration Over C2 Via Powershell UploadString - Rule", "ESCU - Windows Scheduled Task Created Via XML - Rule", "ESCU - Windows Screen Capture Via Powershell - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "GetWmiObject User Account with PowerShell", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}]}}, {"name": "GetWmiObject User Account with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Schedule Task with HTTP Command Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "System User Discovery With Whoami", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Owner/User Discovery"}]}}, {"name": "Windows Exfiltration Over C2 Via Invoke RestMethod", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over C2 Channel"}]}}, {"name": "Windows Exfiltration Over C2 Via Powershell UploadString", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over C2 Channel"}]}}, {"name": "Windows Scheduled Task Created Via XML", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Windows Screen Capture Via Powershell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Screen Capture"}]}}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}]}, {"name": "WS FTP Server Critical Vulnerabilities", "author": "Michael Haag, Splunk", "date": "2023-10-01", "version": 1, "id": "60466291-3ab4-452b-9c11-456aa2dc7293", "description": "A critical security advisory was released by Progress Software on September 27, 2023, concerning multiple vulnerabilities in WS_FTP Server, a widely-used secure file transfer solution. The two critical vulnerabilities are CVE-2023-40044, a .NET deserialization flaw, and CVE-2023-42657, a directory traversal vulnerability. Rapid7 has observed active exploitation of these vulnerabilities. Affected versions are prior to 8.7.4 and 8.8.2. Immediate action is advised - upgrade to WS_FTP Server version 8.8.2. For those unable to update, disabling the Ad Hoc Transfer module is suggested as a temporary measure. This comes in the wake of increased scrutiny following the Cl0p ransomware attack on MOVEit Transfer in May 2023.", "narrative": "Two critical vulnerabilities have been identified in WS_FTP Server, a widely-used secure file transfer solution. The first, CVE-2023-40044, is a .NET deserialization flaw that targets the Ad Hoc Transfer module of WS_FTP Server versions earlier than 8.7.4 and 8.8.2. This flaw allows an attacker to execute arbitrary commands on the server's operating system without needing authentication. The second vulnerability, CVE-2023-42657, is a directory traversal flaw that allows attackers to perform unauthorized file operations outside of their authorized WS_FTP folder. In severe cases, the attacker could escape the WS_FTP Server file structure and perform operations on the underlying operating system. Both vulnerabilities have been observed being exploited in the wild and immediate action for mitigation is strongly advised. Updating to WS_FTP Server version 8.8.2 is recommended. For those unable to update, disabling the Ad Hoc Transfer module is suggested as a temporary measure.", "references": ["https://www.assetnote.io/resources/research/rce-in-progress-ws-ftp-ad-hoc-via-iis-http-modules-cve-2023-40044", "https://community.progress.com/s/article/WS-FTP-Server-Critical-Vulnerability-September-2023", "https://www.cve.org/CVERecord?id=CVE-2023-40044", "https://www.rapid7.com/blog/post/2023/09/29/etr-critical-vulnerabilities-in-ws_ftp-server/", "https://www.splunk.com/en_us/blog/security/fantastic-iis-modules-and-how-to-find-them.html"], "tags": {"name": "WS FTP Server Critical Vulnerabilities", "analytic_story": "WS FTP Server Critical Vulnerabilities", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1505.004", "mitre_attack_technique": "IIS Components", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}], "mitre_attack_tactics": ["Initial Access", "Persistence"], "datamodels": ["Endpoint", "Web"], "kill_chain_phases": ["Delivery", "Installation"]}, "detection_names": ["ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows IIS Components Get-WebGlobalModule Module Query - Rule", "ESCU - WS FTP Remote Code Execution - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}, {"name": "Windows IIS Components Get-WebGlobalModule Module Query", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "IIS Components"}, {"mitre_attack_technique": "Server Software Component"}]}}, {"name": "WS FTP Remote Code Execution", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}]}, {"name": "XMRig", "author": "Teoderick Contreras, Rod Soto Splunk", "date": "2021-05-07", "version": 1, "id": "06723e6a-6bd8-4817-ace2-5fb8a7b06628", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the xmrig monero, including looking for file writes associated with its payload, process command-line, defense evasion (killing services, deleting users, modifying files or folder permission, killing other malware or other coin miner) and hacking tools including Telegram as mean of Command And Control (C2) to download other files. Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems which may impact system and/or hosted service availability. One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive. (1) Servers and cloud-based (2) systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.", "narrative": "XMRig is a high performance, open source, cross platform RandomX, KawPow, CryptoNight and AstroBWT unified CPU/GPU miner. This monero is seen in the wild on May 2017.", "references": ["https://github.com/xmrig/xmrig", "https://www.getmonero.org/resources/user-guides/mine-to-pool.html", "https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/", "https://blog.checkpoint.com/2021/03/11/february-2021s-most-wanted-malware-trickbot-takes-over-following-emotet-shutdown/"], "tags": {"name": "XMRig", "analytic_story": "XMRig", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036.005", "mitre_attack_technique": "Match Legitimate Name or Location", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT32", "APT39", "APT41", "Aoqin Dragon", "BRONZE BUTLER", "BackdoorDiplomacy", "Blue Mockingbird", "Carbanak", "Chimera", "Darkhotel", "Earth Lusca", "FIN13", "FIN7", "Ferocious Kitten", "Fox Kitten", "Gamaredon Group", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Poseidon Group", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "Sowbug", "TA2541", "TEMP.Veles", "TeamTNT", "Transparent Tribe", "Tropic Trooper", "Volt Typhoon", "WIRTE", "Whitefly", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1595", "mitre_attack_technique": "Active Scanning", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1531", "mitre_attack_technique": "Account Access Removal", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Defense Evasion", "Discovery", "Execution", "Impact", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - Attacker Tools On Endpoint - Rule", "ESCU - Deleting Of Net Users - Rule", "ESCU - Disable Windows App Hotkeys - Rule", "ESCU - Disabling Net User Account - Rule", "ESCU - Download Files Using Telegram - Rule", "ESCU - Enumerate Users Local Group Using Telegram - Rule", "ESCU - Excessive Attempt To Disable Services - Rule", "ESCU - Excessive Service Stop Attempt - Rule", "ESCU - Excessive Usage Of Cacls App - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Hide User Account From Sign-In Screen - Rule", "ESCU - Icacls Deny Command - Rule", "ESCU - ICACLS Grant Command - Rule", "ESCU - Modify ACL permission To Files Or Folder - Rule", "ESCU - Process Kill Base On File Path - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Suspicious Driver Loaded Path - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - XMRIG Driver Loaded - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Attacker Tools On Endpoint", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Match Legitimate Name or Location"}, {"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "Active Scanning"}]}}, {"name": "Deleting Of Net Users", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Access Removal"}]}}, {"name": "Disable Windows App Hotkeys", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Disabling Net User Account", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Access Removal"}]}}, {"name": "Download Files Using Telegram", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Enumerate Users Local Group Using Telegram", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Excessive Attempt To Disable Services", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Excessive Service Stop Attempt", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Excessive Usage Of Cacls App", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Access Removal"}]}}, {"name": "Excessive Usage Of Taskkill", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Hide User Account From Sign-In Screen", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Icacls Deny Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "ICACLS Grant Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "Modify ACL permission To Files Or Folder", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "Process Kill Base On File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Schtasks Run Task On Demand", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Suspicious Driver Loaded Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "XMRIG Driver Loaded", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}]}]}
\ No newline at end of file
+{"stories": [{"name": "3CX Supply Chain Attack", "author": "Michael Haag, Splunk", "date": "2023-03-30", "version": 1, "id": "c4d7618c-73a7-4f7c-8071-060c36850785", "description": "On March 29, 2023, CrowdStrike Falcon OverWatch observed unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp,  a softphone application from 3CX. The malicious activity includes beaconing to actor controlled infrastructure, deployment of second stage payloads, and, in a small number of cases, hands on keyboard activity. (CrowdStrike)", "narrative": "On March 22, 2023, cybersecurity firm SentinelOne observed a surge in behavioral detections of trojanized 3CXDesktopApp installers, a popular PABX voice and video conferencing software. The multi-stage attack chain, which automatically quarantines trojanized installers, involves downloading ICO files with base64 data from GitHub and eventually leads to a 3rd stage infostealer DLL that is still under analysis. While the Mac installer remains unconfirmed as trojanized, ongoing investigations are also examining other potentially compromised applications, such as Chrome extensions. The threat actor behind the supply chain compromise, which started in February 2022, has used a code signing certificate to sign the trojanized binaries, but connections to existing threat clusters remain unclear. SentinelOne updated their IOCs on March 30th, 2023, with contributions from the research community and continues to monitor the situation for further developments. 3CX identified the vulnerability in the recent versions 18.12.407 and 18.12.416 for the desktop app. A new certificate for the app will also be produced.", "references": ["https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/", "https://www.cisa.gov/news-events/alerts/2023/03/30/supply-chain-attack-against-3cxdesktopapp", "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/", "https://www.3cx.com/community/threads/crowdstrike-endpoint-security-detection-re-3cx-desktop-app.119934/page-2#post-558898", "https://www.3cx.com/community/threads/3cx-desktopapp-security-alert.119951/", "https://www.elastic.co/security-labs/elastic-users-protected-from-suddenicon-supply-chain-attack", "https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/"], "tags": {"name": "3CX Supply Chain Attack", "analytic_story": "3CX Supply Chain Attack", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1195.002", "mitre_attack_technique": "Compromise Software Supply Chain", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT41", "Cobalt Group", "Dragonfly", "FIN7", "GOLD SOUTHFIELD", "Sandworm Team", "Threat Group-3390"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Credential Access", "Initial Access"], "datamodels": ["Endpoint", "Network_Resolution"], "kill_chain_phases": ["Delivery", "Exploitation"]}, "detection_names": ["ESCU - 3CX Supply Chain Attack Network Indicators - Rule", "ESCU - Hunting 3CXDesktopApp Software - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Windows Vulnerable 3CX Software - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "3CX Supply Chain Attack Network Indicators", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Software Supply Chain"}]}}, {"name": "Hunting 3CXDesktopApp Software", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Software Supply Chain"}]}}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}}, {"name": "Windows Vulnerable 3CX Software", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Software Supply Chain"}]}}]}, {"name": "IcedID", "author": "Teoderick Contreras, Splunk", "date": "2021-07-29", "version": 1, "id": "1d2cc747-63d7-49a9-abb8-93aa36305603", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the IcedID banking trojan, including looking for file writes associated with its payload, process injection, shellcode execution and data collection.", "narrative": "IcedId banking trojan campaigns targeting banks and other vertical sectors.This malware is known in Microsoft Windows OS targetting browser such as firefox and chrom to steal banking information. It is also known to its unique payload downloaded in C2 where it can be a .png file that hides the core shellcode bot using steganography technique or gzip dat file that contains \"license.dat\" which is the actual core icedid bot.", "references": ["https://threatpost.com/icedid-banking-trojan-surges-emotet/165314/", "https://app.any.run/tasks/48414a33-3d66-4a46-afe5-c2003bb55ccf/"], "tags": {"name": "IcedID", "analytic_story": "IcedID", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN13", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA2541", "TA551"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "FIN13", "TA505"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1135", "mitre_attack_technique": "Network Share Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT32", "APT38", "APT39", "APT41", "Chimera", "DarkVishnya", "Dragonfly", "FIN13", "Sowbug", "Tonto Team", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1566.002", "mitre_attack_technique": "Spearphishing Link", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1005", "mitre_attack_technique": "Data from Local System", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT3", "APT37", "APT38", "APT39", "APT41", "Andariel", "Axiom", "BRONZE BUTLER", "CURIUM", "Dark Caracal", "Dragonfly", "FIN13", "FIN6", "FIN7", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HAFNIUM", "Inception", "Ke3chang", "Kimsuky", "LAPSUS$", "Lazarus Group", "LuminousMoth", "Magic Hound", "Patchwork", "Sandworm Team", "Stealth Falcon", "Threat Group-3390", "Turla", "Volt Typhoon", "Windigo", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "TEMP.Veles", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Collection", "Command And Control", "Defense Evasion", "Discovery", "Execution", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command And Control", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Account Discovery With Net App - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - CHCP Command Execution - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Create Remote Thread In Shell Application - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Disable Defender AntiVirus Registry - Rule", "ESCU - Disable Defender BlockAtFirstSeen Feature - Rule", "ESCU - Disable Defender Enhanced Notification - Rule", "ESCU - Disable Defender MpEngine Registry - Rule", "ESCU - Disable Defender Spynet Reporting - Rule", "ESCU - Disable Defender Submit Samples Consent Feature - Rule", "ESCU - Disable Schedule Task - Rule", "ESCU - Disabling Defender Services - Rule", "ESCU - Drop IcedID License dat - Rule", "ESCU - Eventvwr UAC Bypass - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - FodHelper UAC Bypass - Rule", "ESCU - IcedID Exfiltrated Archived File Creation - Rule", "ESCU - Mshta spawning Rundll32 OR Regsvr32 Process - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Share Discovery Via Dir Command - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Office Application Spawn Regsvr32 process - Rule", "ESCU - Office Application Spawn rundll32 process - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawning MSHTA - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - Powershell Processing Stream Of Data - Rule", "ESCU - Powershell Using memory As Backing Store - Rule", "ESCU - Process Creating LNK file in Suspicious Location - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Remote System Discovery with Net - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Rundll32 Create Remote Thread To A Process - Rule", "ESCU - Rundll32 CreateRemoteThread In Browser - Rule", "ESCU - Rundll32 DNSQuery - Rule", "ESCU - Rundll32 Process Creating Exe Dll Files - Rule", "ESCU - RunDLL Loading DLL By Ordinal - Rule", "ESCU - Schedule Task with Rundll32 Command Trigger - Rule", "ESCU - Sqlite Module In Temp Folder - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Suspicious IcedID Rundll32 Cmdline - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Rundll32 dllregisterserver - Rule", "ESCU - Suspicious Rundll32 PluginInit - Rule", "ESCU - Windows AdFind Exe - Rule", "ESCU - Windows Curl Download to Suspicious Path - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Windows WMI Process Call Create - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule", "ESCU - Wmic NonInteractive App Uninstallation - Rule"], "investigation_names": [], "baseline_names": ["ESCU - Previously seen command line arguments"], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Account Discovery With Net App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "CHCP Command Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Create Remote Thread In Shell Application", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Disable Defender AntiVirus Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender BlockAtFirstSeen Feature", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender Enhanced Notification", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender MpEngine Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender Spynet Reporting", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender Submit Samples Consent Feature", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Schedule Task", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disabling Defender Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Drop IcedID License dat", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "User Execution"}, {"mitre_attack_technique": "Malicious File"}]}}, {"name": "Eventvwr UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "FodHelper UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}, {"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "IcedID Exfiltrated Archived File Creation", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}}, {"name": "Mshta spawning Rundll32 OR Regsvr32 Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}}, {"name": "Network Connection Discovery With Arp", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Network Share Discovery Via Dir Command", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Network Share Discovery"}]}}, {"name": "NLTest Domain Trust Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Trust Discovery"}]}}, {"name": "Office Application Spawn Regsvr32 process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Application Spawn rundll32 process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning MSHTA", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Processing Stream Of Data", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Using memory As Backing Store", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Process Creating LNK file in Suspicious Location", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Link"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Remote System Discovery with Net", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Remote WMI Command Attempt", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Rundll32 Create Remote Thread To A Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Rundll32 CreateRemoteThread In Browser", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Rundll32 DNSQuery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Rundll32 Process Creating Exe Dll Files", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "RunDLL Loading DLL By Ordinal", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Schedule Task with Rundll32 Command Trigger", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Sqlite Module In Temp Folder", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data from Local System"}]}}, {"name": "Suspicious Copy on System32", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "Masquerading"}]}}, {"name": "Suspicious IcedID Rundll32 Cmdline", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious Rundll32 dllregisterserver", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Suspicious Rundll32 PluginInit", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Windows AdFind Exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Windows Curl Download to Suspicious Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Malicious Link"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Windows WMI Process Call Create", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Wmic NonInteractive App Uninstallation", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}]}, {"name": "Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring", "author": "Matthew Moore, Patrick Bareiss, Splunk", "date": "2024-01-08", "version": 1, "id": "7589023b-3d98-42b3-ab1c-bb498e68fc2d", "description": "Kubernetes, a complex container orchestration system, is susceptible to a variety of security threats. This story delves into the different strategies and methods adversaries employ to exploit Kubernetes environments. These include attacks on the control plane, exploitation of misconfigurations, and breaches of containerized applications. Observability data, such as metrics, play a crucial role in identifying abnormal and potentially malicious behavior within these environments.", "narrative": "Kubernetes, a complex container orchestration system, is a prime target for adversaries due to its widespread use and inherent complexity. This story focuses on the abnormal behavior within Kubernetes environments that can be indicative of security threats. Key areas of concern include the control plane, worker nodes, and network communication, all of which can be exploited by attackers. Observability data, such as metrics, play a crucial role in identifying these abnormal behaviors. These behaviors could be a result of attacks on the control plane, exploitation of misconfigurations, or breaches of containerized applications. For instance, attackers may attempt to exploit vulnerabilities in the Kubernetes API, misconfigured containers, or insecure network policies. The control plane, which manages cluster operations, is a prime target and its compromise can give attackers control over the entire cluster. Worker nodes, which run the containerized applications, can also be targeted to disrupt services or to gain access to sensitive data.", "references": ["https://kubernetes.io/docs/concepts/security/", "https://splunkbase.splunk.com/app/5247"], "tags": {"name": "Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring", "analytic_story": "Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}], "mitre_attack_tactics": ["Execution"], "datamodels": [], "kill_chain_phases": ["Installation"]}, "detection_names": ["ESCU - Kubernetes Anomalous Inbound Outbound Network IO - Rule", "ESCU - Kubernetes Anomalous Inbound to Outbound Network IO Ratio - Rule", "ESCU - Kubernetes Previously Unseen Container Image Name - Rule", "ESCU - Kubernetes Process Running From New Path - Rule", "ESCU - Kubernetes Process with Anomalous Resource Utilisation - Rule", "ESCU - Kubernetes Process with Resource Ratio Anomalies - Rule", "ESCU - Kubernetes Shell Running on Worker Node - Rule", "ESCU - Kubernetes Shell Running on Worker Node with CPU Activity - Rule"], "investigation_names": [], "baseline_names": ["ESCU - Baseline Of Kubernetes Container Network IO", "ESCU - Baseline Of Kubernetes Container Network IO Ratio", "ESCU - Baseline Of Kubernetes Process Resource", "ESCU - Baseline Of Kubernetes Process Resource Ratio"], "author_company": "Patrick Bareiss, Splunk", "author_name": "Matthew Moore", "detections": [{"name": "Kubernetes Anomalous Inbound Outbound Network IO", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "User Execution"}]}}, {"name": "Kubernetes Anomalous Inbound to Outbound Network IO Ratio", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "User Execution"}]}}, {"name": "Kubernetes Previously Unseen Container Image Name", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "User Execution"}]}}, {"name": "Kubernetes Process Running From New Path", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "User Execution"}]}}, {"name": "Kubernetes Process with Anomalous Resource Utilisation", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "User Execution"}]}}, {"name": "Kubernetes Process with Resource Ratio Anomalies", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "User Execution"}]}}, {"name": "Kubernetes Shell Running on Worker Node", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "User Execution"}]}}, {"name": "Kubernetes Shell Running on Worker Node with CPU Activity", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "User Execution"}]}}]}, {"name": "AcidRain", "author": "Teoderick Contreras, Splunk", "date": "2022-04-12", "version": 1, "id": "c68717c6-4938-434b-987c-e1ce9d516124", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the acidrain malware including deleting of files and etc. AcidRain is an ELF MIPS malware specifically designed to wipe modems and routers. The complete list of targeted devices is unknown at this time, but WatchGuard FireBox has specifically been listed as a target. This malware is capable of wiping and deleting non-standard linux files and overwriting storage device files that might related to router, ssd card and many more.", "narrative": "Adversaries may use this technique to maximize the impact on the target organization in operations where network wide availability interruption is the goal.", "references": ["https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/"], "tags": {"name": "AcidRain", "analytic_story": "AcidRain", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TEMP.Veles", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}], "mitre_attack_tactics": ["Defense Evasion", "Impact"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"]}, "detection_names": ["ESCU - Linux Deletion Of Cron Jobs - Rule", "ESCU - Linux Deletion Of Init Daemon Script - Rule", "ESCU - Linux Deletion Of Services - Rule", "ESCU - Linux High Frequency Of File Deletion In Etc Folder - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux Deletion Of Cron Jobs", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Linux Deletion Of Init Daemon Script", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Linux Deletion Of Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Linux High Frequency Of File Deletion In Etc Folder", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}]}, {"name": "Active Directory Discovery", "author": "Mauricio Velazco, Splunk", "date": "2021-08-20", "version": 1, "id": "8460679c-2b21-463e-b381-b813417c32f2", "description": "Monitor for activities and techniques associated with Discovery and Reconnaissance within with Active Directory environments.", "narrative": "Discovery consists of techniques an adversay uses to gain knowledge about an internal environment or network. These techniques provide adversaries with situational awareness and allows them to have the necessary information before deciding how to act or who/what to target next.\\\nOnce an attacker obtains an initial foothold in an Active Directory environment, she is forced to engage in Discovery techniques in the initial phases of a breach to better understand and navigate the target network. Some examples include but are not limited to enumerating domain users, domain admins, computers, domain controllers, network shares, group policy objects, domain trusts, etc.", "references": ["https://attack.mitre.org/tactics/TA0007/", "https://adsecurity.org/?p=2535", "https://attack.mitre.org/techniques/T1087/001/", "https://attack.mitre.org/techniques/T1087/002/", "https://attack.mitre.org/techniques/T1087/003/", "https://attack.mitre.org/techniques/T1482/", "https://attack.mitre.org/techniques/T1201/", "https://attack.mitre.org/techniques/T1069/001/", "https://attack.mitre.org/techniques/T1069/002/", "https://attack.mitre.org/techniques/T1018/", "https://attack.mitre.org/techniques/T1049/", "https://attack.mitre.org/techniques/T1033/"], "tags": {"name": "Active Directory Discovery", "analytic_story": "Active Directory Discovery", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "FIN13", "TA505"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "FIN7", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla", "Volt Typhoon"]}, {"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1016.001", "mitre_attack_technique": "Internet Connection Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT29", "FIN13", "FIN8", "Gamaredon Group", "HAFNIUM", "HEXANE", "Magic Hound", "TA2541", "Turla"]}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1135", "mitre_attack_technique": "Network Share Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT32", "APT38", "APT39", "APT41", "Chimera", "DarkVishnya", "Dragonfly", "FIN13", "Sowbug", "Tonto Team", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1570", "mitre_attack_technique": "Lateral Tool Transfer", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT32", "Aoqin Dragon", "Chimera", "FIN10", "GALLIUM", "Magic Hound", "Sandworm Team", "Turla", "Volt Typhoon", "Wizard Spider"]}, {"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "Chimera", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "Volt Typhoon", "Wizard Spider"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Discovery", "Execution", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - AdsiSearcher Account Discovery - Rule", "ESCU - Domain Account Discovery with Dsquery - Rule", "ESCU - Domain Account Discovery With Net App - Rule", "ESCU - Domain Account Discovery with Wmic - Rule", "ESCU - Domain Controller Discovery with Nltest - Rule", "ESCU - Domain Controller Discovery with Wmic - Rule", "ESCU - Domain Group Discovery with Adsisearcher - Rule", "ESCU - Domain Group Discovery With Dsquery - Rule", "ESCU - Domain Group Discovery With Net - Rule", "ESCU - Domain Group Discovery With Wmic - Rule", "ESCU - DSQuery Domain Discovery - Rule", "ESCU - Elevated Group Discovery With Net - Rule", "ESCU - Elevated Group Discovery with PowerView - Rule", "ESCU - Elevated Group Discovery With Wmic - Rule", "ESCU - Get ADDefaultDomainPasswordPolicy with Powershell - Rule", "ESCU - Get ADDefaultDomainPasswordPolicy with Powershell Script Block - Rule", "ESCU - Get ADUser with PowerShell - Rule", "ESCU - Get ADUser with PowerShell Script Block - Rule", "ESCU - Get ADUserResultantPasswordPolicy with Powershell - Rule", "ESCU - Get ADUserResultantPasswordPolicy with Powershell Script Block - Rule", "ESCU - Get DomainPolicy with Powershell - Rule", "ESCU - Get DomainPolicy with Powershell Script Block - Rule", "ESCU - Get-DomainTrust with PowerShell - Rule", "ESCU - Get-DomainTrust with PowerShell Script Block - Rule", "ESCU - Get DomainUser with PowerShell - Rule", "ESCU - Get DomainUser with PowerShell Script Block - Rule", "ESCU - Get-ForestTrust with PowerShell - Rule", "ESCU - Get-ForestTrust with PowerShell Script Block - Rule", "ESCU - Get WMIObject Group Discovery - Rule", "ESCU - Get WMIObject Group Discovery with Script Block Logging - Rule", "ESCU - GetAdComputer with PowerShell - Rule", "ESCU - GetAdComputer with PowerShell Script Block - Rule", "ESCU - GetAdGroup with PowerShell - Rule", "ESCU - GetAdGroup with PowerShell Script Block - Rule", "ESCU - GetCurrent User with PowerShell - Rule", "ESCU - GetCurrent User with PowerShell Script Block - Rule", "ESCU - GetDomainComputer with PowerShell - Rule", "ESCU - GetDomainComputer with PowerShell Script Block - Rule", "ESCU - GetDomainController with PowerShell - Rule", "ESCU - GetDomainController with PowerShell Script Block - Rule", "ESCU - GetDomainGroup with PowerShell - Rule", "ESCU - GetDomainGroup with PowerShell Script Block - Rule", "ESCU - GetLocalUser with PowerShell - Rule", "ESCU - GetLocalUser with PowerShell Script Block - Rule", "ESCU - GetNetTcpconnection with PowerShell - Rule", "ESCU - GetNetTcpconnection with PowerShell Script Block - Rule", "ESCU - GetWmiObject Ds Computer with PowerShell - Rule", "ESCU - GetWmiObject Ds Computer with PowerShell Script Block - Rule", "ESCU - GetWmiObject Ds Group with PowerShell - Rule", "ESCU - GetWmiObject Ds Group with PowerShell Script Block - Rule", "ESCU - GetWmiObject DS User with PowerShell - Rule", "ESCU - GetWmiObject DS User with PowerShell Script Block - Rule", "ESCU - GetWmiObject User Account with PowerShell - Rule", "ESCU - GetWmiObject User Account with PowerShell Script Block - Rule", "ESCU - Local Account Discovery with Net - Rule", "ESCU - Local Account Discovery With Wmic - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Connection Discovery With Net - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Network Discovery Using Route Windows App - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Password Policy Discovery with Net - Rule", "ESCU - PowerShell Get LocalGroup Discovery - Rule", "ESCU - Powershell Get LocalGroup Discovery with Script Block Logging - Rule", "ESCU - Remote System Discovery with Adsisearcher - Rule", "ESCU - Remote System Discovery with Dsquery - Rule", "ESCU - Remote System Discovery with Net - Rule", "ESCU - Remote System Discovery with Wmic - Rule", "ESCU - ServicePrincipalNames Discovery with PowerShell - Rule", "ESCU - ServicePrincipalNames Discovery with SetSPN - Rule", "ESCU - System User Discovery With Query - Rule", "ESCU - System User Discovery With Whoami - Rule", "ESCU - User Discovery With Env Vars PowerShell - Rule", "ESCU - User Discovery With Env Vars PowerShell Script Block - Rule", "ESCU - Windows AD Abnormal Object Access Activity - Rule", "ESCU - Windows AD Privileged Object Access Activity - Rule", "ESCU - Windows File Share Discovery With Powerview - Rule", "ESCU - Windows Find Domain Organizational Units with GetDomainOU - Rule", "ESCU - Windows Find Interesting ACL with FindInterestingDomainAcl - Rule", "ESCU - Windows Forest Discovery with GetForestDomain - Rule", "ESCU - Windows Get Local Admin with FindLocalAdminAccess - Rule", "ESCU - Windows Hidden Schedule Task Settings - Rule", "ESCU - Windows Lateral Tool Transfer RemCom - Rule", "ESCU - Windows Linked Policies In ADSI Discovery - Rule", "ESCU - Windows PowerView AD Access Control List Enumeration - Rule", "ESCU - Windows Root Domain linked policies Discovery - Rule", "ESCU - Windows Service Create RemComSvc - Rule", "ESCU - Windows Suspect Process With Authentication Traffic - Rule", "ESCU - Wmic Group Discovery - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "AdsiSearcher Account Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Domain Account Discovery with Dsquery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Domain Account Discovery With Net App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Domain Account Discovery with Wmic", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Domain Controller Discovery with Nltest", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Domain Controller Discovery with Wmic", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Domain Group Discovery with Adsisearcher", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "Domain Group Discovery With Dsquery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "Domain Group Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "Domain Group Discovery With Wmic", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "DSQuery Domain Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Trust Discovery"}]}}, {"name": "Elevated Group Discovery With Net", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "Elevated Group Discovery with PowerView", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "Elevated Group Discovery With Wmic", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "Get ADDefaultDomainPasswordPolicy with Powershell", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Policy Discovery"}]}}, {"name": "Get ADDefaultDomainPasswordPolicy with Powershell Script Block", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Policy Discovery"}]}}, {"name": "Get ADUser with PowerShell", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Get ADUser with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Get ADUserResultantPasswordPolicy with Powershell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Policy Discovery"}]}}, {"name": "Get ADUserResultantPasswordPolicy with Powershell Script Block", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Policy Discovery"}]}}, {"name": "Get DomainPolicy with Powershell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Policy Discovery"}]}}, {"name": "Get DomainPolicy with Powershell Script Block", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Policy Discovery"}]}}, {"name": "Get-DomainTrust with PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Trust Discovery"}]}}, {"name": "Get-DomainTrust with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Trust Discovery"}]}}, {"name": "Get DomainUser with PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Get DomainUser with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Get-ForestTrust with PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Trust Discovery"}]}}, {"name": "Get-ForestTrust with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Trust Discovery"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Get WMIObject Group Discovery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}}, {"name": "Get WMIObject Group Discovery with Script Block Logging", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}}, {"name": "GetAdComputer with PowerShell", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "GetAdComputer with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "GetAdGroup with PowerShell", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "GetAdGroup with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "GetCurrent User with PowerShell", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Owner/User Discovery"}]}}, {"name": "GetCurrent User with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Owner/User Discovery"}]}}, {"name": "GetDomainComputer with PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "GetDomainComputer with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "GetDomainController with PowerShell", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "GetDomainController with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "GetDomainGroup with PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "GetDomainGroup with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "GetLocalUser with PowerShell", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}]}}, {"name": "GetLocalUser with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "GetNetTcpconnection with PowerShell", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "GetNetTcpconnection with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "GetWmiObject Ds Computer with PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "GetWmiObject Ds Computer with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "GetWmiObject Ds Group with PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "GetWmiObject Ds Group with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "GetWmiObject DS User with PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "GetWmiObject DS User with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "GetWmiObject User Account with PowerShell", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}]}}, {"name": "GetWmiObject User Account with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Local Account Discovery with Net", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}]}}, {"name": "Local Account Discovery With Wmic", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}]}}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}}, {"name": "Network Connection Discovery With Arp", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Network Connection Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Network Discovery Using Route Windows App", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Internet Connection Discovery"}]}}, {"name": "NLTest Domain Trust Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Trust Discovery"}]}}, {"name": "Password Policy Discovery with Net", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Policy Discovery"}]}}, {"name": "PowerShell Get LocalGroup Discovery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}}, {"name": "Powershell Get LocalGroup Discovery with Script Block Logging", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}}, {"name": "Remote System Discovery with Adsisearcher", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Remote System Discovery with Dsquery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Remote System Discovery with Net", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Remote System Discovery with Wmic", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "ServicePrincipalNames Discovery with PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "ServicePrincipalNames Discovery with SetSPN", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "System User Discovery With Query", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Owner/User Discovery"}]}}, {"name": "System User Discovery With Whoami", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Owner/User Discovery"}]}}, {"name": "User Discovery With Env Vars PowerShell", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Owner/User Discovery"}]}}, {"name": "User Discovery With Env Vars PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Owner/User Discovery"}]}}, {"name": "Windows AD Abnormal Object Access Activity", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Account"}]}}, {"name": "Windows AD Privileged Object Access Activity", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Account"}]}}, {"name": "Windows File Share Discovery With Powerview", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Network Share Discovery"}]}}, {"name": "Windows Find Domain Organizational Units with GetDomainOU", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Account"}]}}, {"name": "Windows Find Interesting ACL with FindInterestingDomainAcl", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Account"}]}}, {"name": "Windows Forest Discovery with GetForestDomain", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Account"}]}}, {"name": "Windows Get Local Admin with FindLocalAdminAccess", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Account"}]}}, {"name": "Windows Hidden Schedule Task Settings", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Windows Lateral Tool Transfer RemCom", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Lateral Tool Transfer"}]}}, {"name": "Windows Linked Policies In ADSI Discovery", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Windows PowerView AD Access Control List Enumeration", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Accounts"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}}, {"name": "Windows Root Domain linked policies Discovery", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Windows Service Create RemComSvc", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Windows Suspect Process With Authentication Traffic", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "User Execution"}, {"mitre_attack_technique": "Malicious File"}]}}, {"name": "Wmic Group Discovery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}}]}, {"name": "Active Directory Kerberos Attacks", "author": "Mauricio Velazco, Splunk", "date": "2022-02-02", "version": 1, "id": "38b8cf16-8461-11ec-ade1-acde48001122", "description": "Monitor for activities and techniques associated with Kerberos based attacks within with Active Directory environments.", "narrative": "Kerberos, initially named after Cerberus, the three-headed dog in Greek mythology, is a network authentication protocol that allows computers and users to prove their identity through a trusted third-party. This trusted third-party issues Kerberos tickets using symmetric encryption to allow users access to services and network resources based on their privilege level. Kerberos is the default authentication protocol used on Windows Active Directory networks since the introduction of Windows Server 2003. With Kerberos being the backbone of Windows authentication, it is commonly abused by adversaries across the different phases of a breach including initial access, privilege escalation, defense evasion, credential access, lateral movement, etc.\\ This Analytic Story groups detection use cases in which the Kerberos protocol is abused. Defenders can leverage these analytics to detect and hunt for adversaries engaging in Kerberos based attacks.", "references": ["https://en.wikipedia.org/wiki/Kerberos_(protocol)", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/2a32282e-dd48-4ad9-a542-609804b02cc9", "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://stealthbits.com/blog/cracking-active-directory-passwords-with-as-rep-roasting/", "https://attack.mitre.org/techniques/T1558/003/", "https://attack.mitre.org/techniques/T1550/003/", "https://attack.mitre.org/techniques/T1558/004/"], "tags": {"name": "Active Directory Kerberos Attacks", "analytic_story": "Active Directory Kerberos Attacks", "category": ["Adversary Tactics", "Account Compromise", "Lateral Movement", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1558.004", "mitre_attack_technique": "AS-REP Roasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1558.001", "mitre_attack_technique": "Golden Ticket", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Ke3chang"]}, {"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1589", "mitre_attack_technique": "Gather Victim Identity Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["APT32", "FIN13", "HEXANE", "LAPSUS$", "Magic Hound"]}, {"mitre_attack_id": "T1589.002", "mitre_attack_technique": "Email Addresses", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["APT32", "EXOTIC LILY", "HAFNIUM", "HEXANE", "Kimsuky", "LAPSUS$", "Lazarus Group", "Magic Hound", "MuddyWater", "Sandworm Team", "Silent Librarian", "TA551"]}, {"mitre_attack_id": "T1550.003", "mitre_attack_technique": "Pass the Ticket", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["APT29", "APT32", "BRONZE BUTLER"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "Chimera", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "Volt Typhoon", "Wizard Spider"]}, {"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Discovery", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Authentication", "Change", "Endpoint", "Network_Traffic"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - Disabled Kerberos Pre-Authentication Discovery With Get-ADUser - Rule", "ESCU - Disabled Kerberos Pre-Authentication Discovery With PowerView - Rule", "ESCU - Kerberoasting spn request with RC4 encryption - Rule", "ESCU - Kerberos Pre-Authentication Flag Disabled in UserAccountControl - Rule", "ESCU - Kerberos Pre-Authentication Flag Disabled with PowerShell - Rule", "ESCU - Kerberos Service Ticket Request Using RC4 Encryption - Rule", "ESCU - Kerberos TGT Request Using RC4 Encryption - Rule", "ESCU - Kerberos User Enumeration - Rule", "ESCU - Mimikatz PassTheTicket CommandLine Parameters - Rule", "ESCU - PetitPotam Suspicious Kerberos TGT Request - Rule", "ESCU - Rubeus Command Line Parameters - Rule", "ESCU - Rubeus Kerberos Ticket Exports Through Winlogon Access - Rule", "ESCU - ServicePrincipalNames Discovery with PowerShell - Rule", "ESCU - ServicePrincipalNames Discovery with SetSPN - Rule", "ESCU - Suspicious Kerberos Service Ticket Request - Rule", "ESCU - Suspicious Ticket Granting Ticket Request - Rule", "ESCU - Unknown Process Using The Kerberos Protocol - Rule", "ESCU - Unusual Number of Computer Service Tickets Requested - Rule", "ESCU - Unusual Number of Kerberos Service Tickets Requested - Rule", "ESCU - Windows Computer Account Created by Computer Account - Rule", "ESCU - Windows Computer Account Requesting Kerberos Ticket - Rule", "ESCU - Windows Computer Account With SPN - Rule", "ESCU - Windows Domain Admin Impersonation Indicator - Rule", "ESCU - Windows Get-AdComputer Unconstrained Delegation Discovery - Rule", "ESCU - Windows Kerberos Local Successful Logon - Rule", "ESCU - Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos - Rule", "ESCU - Windows Multiple Invalid Users Fail To Authenticate Using Kerberos - Rule", "ESCU - Windows Multiple Users Failed To Authenticate Using Kerberos - Rule", "ESCU - Windows PowerView Constrained Delegation Discovery - Rule", "ESCU - Windows PowerView Kerberos Service Ticket Request - Rule", "ESCU - Windows PowerView SPN Discovery - Rule", "ESCU - Windows PowerView Unconstrained Delegation Discovery - Rule", "ESCU - Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Users Failed To Auth Using Kerberos - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Disabled Kerberos Pre-Authentication Discovery With Get-ADUser", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "AS-REP Roasting"}]}}, {"name": "Disabled Kerberos Pre-Authentication Discovery With PowerView", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "AS-REP Roasting"}]}}, {"name": "Kerberoasting spn request with RC4 encryption", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "Kerberos Pre-Authentication Flag Disabled in UserAccountControl", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "AS-REP Roasting"}]}}, {"name": "Kerberos Pre-Authentication Flag Disabled with PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "AS-REP Roasting"}]}}, {"name": "Kerberos Service Ticket Request Using RC4 Encryption", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Golden Ticket"}]}}, {"name": "Kerberos TGT Request Using RC4 Encryption", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Use Alternate Authentication Material"}]}}, {"name": "Kerberos User Enumeration", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Identity Information"}, {"mitre_attack_technique": "Email Addresses"}]}}, {"name": "Mimikatz PassTheTicket CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Ticket"}]}}, {"name": "PetitPotam Suspicious Kerberos TGT Request", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Rubeus Command Line Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Ticket"}, {"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}, {"mitre_attack_technique": "AS-REP Roasting"}]}}, {"name": "Rubeus Kerberos Ticket Exports Through Winlogon Access", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Ticket"}]}}, {"name": "ServicePrincipalNames Discovery with PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "ServicePrincipalNames Discovery with SetSPN", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "Suspicious Kerberos Service Ticket Request", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Domain Accounts"}]}}, {"name": "Suspicious Ticket Granting Ticket Request", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Domain Accounts"}]}}, {"name": "Unknown Process Using The Kerberos Protocol", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Use Alternate Authentication Material"}]}}, {"name": "Unusual Number of Computer Service Tickets Requested", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Unusual Number of Kerberos Service Tickets Requested", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "Windows Computer Account Created by Computer Account", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}}, {"name": "Windows Computer Account Requesting Kerberos Ticket", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}}, {"name": "Windows Computer Account With SPN", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}}, {"name": "Windows Domain Admin Impersonation Indicator", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}}, {"name": "Windows Get-AdComputer Unconstrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Windows Kerberos Local Successful Logon", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}}, {"name": "Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Invalid Users Fail To Authenticate Using Kerberos", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Users Failed To Authenticate Using Kerberos", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows PowerView Constrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Windows PowerView Kerberos Service Ticket Request", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "Windows PowerView SPN Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "Windows PowerView Unconstrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Users Failed To Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}]}, {"name": "Active Directory Lateral Movement", "author": "David Dorsey, Mauricio Velazco Splunk", "date": "2021-12-09", "version": 3, "id": "399d65dc-1f08-499b-a259-aad9051f38ad", "description": "Detect and investigate tactics, techniques, and procedures around how attackers move laterally within an Active Directory environment. Since lateral movement is often a necessary step in a breach, it is important for cyber defenders to deploy detection coverage.", "narrative": "Once attackers gain a foothold within an enterprise, they will seek to expand their accesses and leverage techniques that facilitate lateral movement. Attackers will often spend quite a bit of time and effort moving laterally. Because lateral movement renders an attacker the most vulnerable to detection, it's an excellent focus for detection and investigation.\\\nIndications of lateral movement in an Active Directory network can include the abuse of system utilities (such as `psexec.exe`), unauthorized use of remote desktop services, `file/admin$` shares, WMI, PowerShell, Service Control Manager, the DCOM protocol, WinRM or the abuse of scheduled tasks. Organizations must be extra vigilant in detecting lateral movement techniques and look for suspicious activity in and around high-value strategic network assets, such as Active Directory, which are often considered the primary target or \"crown jewels\" to a persistent threat actor.\\\nAn adversary can use lateral movement for multiple purposes, including remote execution of tools, pivoting to additional systems, obtaining access to specific information or files, access to additional credentials, exfiltrating data, or delivering a secondary effect. Adversaries may use legitimate credentials alongside inherent network and operating-system functionality to remotely connect to other systems and remain under the radar of network defenders.\\\nIf there is evidence of lateral movement, it is imperative for analysts to collect evidence of the associated offending hosts. For example, an attacker might leverage host A to gain access to host B. From there, the attacker may try to move laterally to host C. In this example, the analyst should gather as much information as possible from all three hosts. \\\n It is also important to collect authentication logs for each host, to ensure that the offending accounts are well-documented. Analysts should account for all processes to ensure that the attackers did not install unauthorized software.", "references": ["https://www.fireeye.com/blog/executive-perspective/2015/08/malware_lateral_move.html", "http://www.irongeek.com/i.php?page=videos/derbycon7/t405-hunting-lateral-movement-for-fun-and-profit-mauricio-velazco"], "tags": {"name": "Active Directory Lateral Movement", "analytic_story": "Active Directory Lateral Movement", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1550.002", "mitre_attack_technique": "Pass the Hash", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["APT1", "APT28", "APT32", "Chimera", "FIN13", "GALLIUM", "Kimsuky", "Wizard Spider"]}, {"mitre_attack_id": "T1210", "mitre_attack_technique": "Exploitation of Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "Dragonfly", "Earth Lusca", "FIN7", "Fox Kitten", "MuddyWater", "Threat Group-3390", "Tonto Team", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1021.006", "mitre_attack_technique": "Windows Remote Management", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Chimera", "FIN13", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1218.014", "mitre_attack_technique": "MMC", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053.002", "mitre_attack_technique": "At", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "BRONZE BUTLER", "Threat Group-3390"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1135", "mitre_attack_technique": "Network Share Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT32", "APT38", "APT39", "APT41", "Chimera", "DarkVishnya", "Dragonfly", "FIN13", "Sowbug", "Tonto Team", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1563.002", "mitre_attack_technique": "RDP Hijacking", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Axiom"]}, {"mitre_attack_id": "T1563", "mitre_attack_technique": "Remote Service Session Hijacking", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Discovery", "Execution", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Network_Traffic", "Risk"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Detect Activity Related to Pass the Hash Attacks - Rule", "ESCU - Active Directory Lateral Movement Identified - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Interactive Session on Remote Endpoint with PowerShell - Rule", "ESCU - Mmc LOLBAS Execution Process Spawn - Rule", "ESCU - Possible Lateral Movement PowerShell Spawn - Rule", "ESCU - PowerShell Invoke CIMMethod CIMSession - Rule", "ESCU - PowerShell Start or Stop Service - Rule", "ESCU - Randomly Generated Scheduled Task Name - Rule", "ESCU - Randomly Generated Windows Service Name - Rule", "ESCU - Remote Desktop Process Running On System - Rule", "ESCU - Remote Process Instantiation via DCOM and PowerShell - Rule", "ESCU - Remote Process Instantiation via DCOM and PowerShell Script Block - Rule", "ESCU - Remote Process Instantiation via WinRM and PowerShell - Rule", "ESCU - Remote Process Instantiation via WinRM and PowerShell Script Block - Rule", "ESCU - Remote Process Instantiation via WinRM and Winrs - Rule", "ESCU - Remote Process Instantiation via WMI - Rule", "ESCU - Remote Process Instantiation via WMI and PowerShell - Rule", "ESCU - Remote Process Instantiation via WMI and PowerShell Script Block - Rule", "ESCU - Scheduled Task Creation on Remote Endpoint using At - Rule", "ESCU - Scheduled Task Initiation on Remote Endpoint - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Services LOLBAS Execution Process Spawn - Rule", "ESCU - Short Lived Scheduled Task - Rule", "ESCU - Svchost LOLBAS Execution Process Spawn - Rule", "ESCU - Unusual Number of Computer Service Tickets Requested - Rule", "ESCU - Unusual Number of Remote Endpoint Authentication Events - Rule", "ESCU - Windows Administrative Shares Accessed On Multiple Hosts - Rule", "ESCU - Windows Enable Win32 ScheduledJob via Registry - Rule", "ESCU - Windows Large Number of Computer Service Tickets Requested - Rule", "ESCU - Windows Local Administrator Credential Stuffing - Rule", "ESCU - Windows PowerShell Get CIMInstance Remote Computer - Rule", "ESCU - Windows PowerShell WMI Win32 ScheduledJob - Rule", "ESCU - Windows Rapid Authentication On Multiple Hosts - Rule", "ESCU - Windows RDP Connection Successful - Rule", "ESCU - Windows Remote Create Service - Rule", "ESCU - Windows Service Create with Tscon - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows Service Created Within Public Path - Rule", "ESCU - Windows Service Creation on Remote Endpoint - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - Windows Service Initiation on Remote Endpoint - Rule", "ESCU - Windows Special Privileged Logon On Multiple Hosts - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - Wmiprsve LOLBAS Execution Process Spawn - Rule", "ESCU - Wsmprovhost LOLBAS Execution Process Spawn - Rule", "ESCU - Remote Desktop Network Traffic - Rule"], "investigation_names": ["ESCU - Investigate Successful Remote Desktop Authentications - Response Task"], "baseline_names": ["ESCU - Identify Systems Creating Remote Desktop Traffic", "ESCU - Identify Systems Receiving Remote Desktop Traffic", "ESCU - Identify Systems Using Remote Desktop"], "author_company": "Mauricio Velazco Splunk", "author_name": "David Dorsey", "detections": [{"name": "Detect Activity Related to Pass the Hash Attacks", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Hash"}]}}, {"name": "Active Directory Lateral Movement Identified", "source": "endpoint", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation of Remote Services"}]}}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Interactive Session on Remote Endpoint with PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Windows Remote Management"}]}}, {"name": "Mmc LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "MMC"}]}}, {"name": "Possible Lateral Movement PowerShell Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Remote Management"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "MMC"}]}}, {"name": "PowerShell Invoke CIMMethod CIMSession", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "PowerShell Start or Stop Service", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}]}}, {"name": "Randomly Generated Scheduled Task Name", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Randomly Generated Windows Service Name", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Remote Desktop Process Running On System", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "Remote Process Instantiation via DCOM and PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}]}}, {"name": "Remote Process Instantiation via DCOM and PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}]}}, {"name": "Remote Process Instantiation via WinRM and PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Windows Remote Management"}]}}, {"name": "Remote Process Instantiation via WinRM and PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Windows Remote Management"}]}}, {"name": "Remote Process Instantiation via WinRM and Winrs", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Windows Remote Management"}]}}, {"name": "Remote Process Instantiation via WMI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Remote Process Instantiation via WMI and PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Remote Process Instantiation via WMI and PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Scheduled Task Creation on Remote Endpoint using At", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "At"}]}}, {"name": "Scheduled Task Initiation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Services LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Short Lived Scheduled Task", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Svchost LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Unusual Number of Computer Service Tickets Requested", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Unusual Number of Remote Endpoint Authentication Events", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Windows Administrative Shares Accessed On Multiple Hosts", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Network Share Discovery"}]}}, {"name": "Windows Enable Win32 ScheduledJob via Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Windows Large Number of Computer Service Tickets Requested", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Network Share Discovery"}, {"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Windows Local Administrator Credential Stuffing", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Credential Stuffing"}]}}, {"name": "Windows PowerShell Get CIMInstance Remote Computer", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}]}}, {"name": "Windows PowerShell WMI Win32 ScheduledJob", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows Rapid Authentication On Multiple Hosts", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}]}}, {"name": "Windows RDP Connection Successful", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "RDP Hijacking"}]}}, {"name": "Windows Remote Create Service", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Windows Service Create with Tscon", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "RDP Hijacking"}, {"mitre_attack_technique": "Remote Service Session Hijacking"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Windows Service Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Windows Service Creation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}]}}, {"name": "Windows Service Initiation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Windows Special Privileged Logon On Multiple Hosts", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Network Share Discovery"}]}}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Wmiprsve LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Wsmprovhost LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Windows Remote Management"}]}}, {"name": "Remote Desktop Network Traffic", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}]}, {"name": "Active Directory Password Spraying", "author": "Mauricio Velazco, Splunk", "date": "2021-04-07", "version": 2, "id": "3de109da-97d2-11eb-8b6a-acde48001122", "description": "Monitor for activities and techniques associated with Password Spraying attacks within Active Directory environments.", "narrative": "In a password spraying attack, adversaries leverage one or a small list of commonly used / popular passwords against a large volume of usernames to acquire valid account credentials. Unlike a Brute Force attack that targets a specific user or small group of users with a large number of passwords, password spraying follows the opposite aproach and increases the chances of obtaining valid credentials while avoiding account lockouts. This allows adversaries to remain undetected if the target organization does not have the proper monitoring and detection controls in place.\\\nPassword Spraying can be leveraged by adversaries across different stages in an attack. It can be used to obtain an iniial access to an environment but can also be used to escalate privileges when access has been already achieved. In some scenarios, this technique capitalizes on a security policy most organizations implement, password rotation. As enterprise users change their passwords, it is possible some pick predictable, seasonal passwords such as `$CompanyNameWinter`, `Summer2021`, etc.\\\nSpecifically, this Analytic Story is focused on detecting possible Password Spraying attacks against Active Directory environments leveraging Windows Event Logs in the `Account Logon` and `Logon/Logoff` Advanced Audit Policy categories. It presents 16 detection analytics which can aid defenders in identifying instances where one source user, source host or source process attempts to authenticate against a target or targets using a high or statiscally unsual, number of unique users. A user, host or process attempting to authenticate with multiple users is not common behavior for legitimate systems and should be monitored by security teams. Possible false positive scenarios include but are not limited to vulnerability scanners, remote administration tools, multi-user systems and missconfigured systems. These should be easily spotted when first implementing the detection and addded to an allow list or lookup table. The presented detections can also be used in Threat Hunting exercises.", "references": ["https://attack.mitre.org/techniques/T1110/003/", "https://www.microsoft.com/security/blog/2020/04/23/protecting-organization-password-spray-attacks/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn452415(v=ws.11)"], "tags": {"name": "Active Directory Password Spraying", "analytic_story": "Active Directory Password Spraying", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}], "mitre_attack_tactics": ["Credential Access"], "datamodels": [], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos - Rule", "ESCU - Windows Multiple Invalid Users Fail To Authenticate Using Kerberos - Rule", "ESCU - Windows Multiple Invalid Users Failed To Authenticate Using NTLM - Rule", "ESCU - Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials - Rule", "ESCU - Windows Multiple Users Failed To Authenticate From Host Using NTLM - Rule", "ESCU - Windows Multiple Users Failed To Authenticate From Process - Rule", "ESCU - Windows Multiple Users Failed To Authenticate Using Kerberos - Rule", "ESCU - Windows Multiple Users Remotely Failed To Authenticate From Host - Rule", "ESCU - Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM - Rule", "ESCU - Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials - Rule", "ESCU - Windows Unusual Count Of Users Failed To Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Users Failed To Authenticate From Process - Rule", "ESCU - Windows Unusual Count Of Users Failed To Authenticate Using NTLM - Rule", "ESCU - Windows Unusual Count Of Users Remotely Failed To Auth From Host - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Invalid Users Fail To Authenticate Using Kerberos", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Invalid Users Failed To Authenticate Using NTLM", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Users Failed To Authenticate From Host Using NTLM", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Users Failed To Authenticate From Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Users Failed To Authenticate Using Kerberos", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Users Remotely Failed To Authenticate From Host", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Users Failed To Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Users Failed To Authenticate From Process", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Users Failed To Authenticate Using NTLM", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Users Remotely Failed To Auth From Host", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}]}, {"name": "Active Directory Privilege Escalation", "author": "Mauricio Velazco, Splunk", "date": "2023-03-20", "version": 1, "id": "fa34a5d8-df0a-404c-8237-11f99cba1d5f", "description": "Monitor for activities and techniques associated with Privilege Escalation attacks within Active Directory environments.", "narrative": "Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities.\\\nActive Directory is a central component of most enterprise networks, providing authentication and authorization services for users, computers, and other resources. It stores sensitive information such as passwords, user accounts, and security policies, and is therefore a high-value target for attackers. Privilege escalation attacks in Active Directory typically involve exploiting vulnerabilities or misconfigurations across the network to gain elevated privileges, such as Domain Administrator access. Once an attacker has escalated their privileges and taken full control of a domain, they can easily move laterally throughout the network, access sensitive data, and carry out further attacks. Security teams should monitor for privilege escalation attacks in Active Directory to identify a breach before attackers achieve operational success.\\\nThe following analytic story groups detection opportunities that seek to identify an adversary attempting to escalate privileges in an Active Directory network.", "references": ["https://attack.mitre.org/tactics/TA0004/", "https://adsecurity.org/?p=3658", "https://adsecurity.org/?p=2362"], "tags": {"name": "Active Directory Privilege Escalation", "analytic_story": "Active Directory Privilege Escalation", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1484", "mitre_attack_technique": "Domain Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1558.001", "mitre_attack_technique": "Golden Ticket", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Ke3chang"]}, {"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1550.003", "mitre_attack_technique": "Pass the Ticket", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["APT29", "APT32", "BRONZE BUTLER"]}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1558.004", "mitre_attack_technique": "AS-REP Roasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "Chimera", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "Volt Typhoon", "Wizard Spider"]}, {"mitre_attack_id": "T1135", "mitre_attack_technique": "Network Share Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT32", "APT38", "APT39", "APT41", "Chimera", "DarkVishnya", "Dragonfly", "FIN13", "Sowbug", "Tonto Team", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1484.001", "mitre_attack_technique": "Group Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Indrik Spider"]}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1552.006", "mitre_attack_technique": "Group Policy Preferences", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "Wizard Spider"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "FIN13", "TA505"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Discovery", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Active Directory Privilege Escalation Identified - Rule", "ESCU - Kerberos Service Ticket Request Using RC4 Encryption - Rule", "ESCU - Rubeus Command Line Parameters - Rule", "ESCU - ServicePrincipalNames Discovery with PowerShell - Rule", "ESCU - ServicePrincipalNames Discovery with SetSPN - Rule", "ESCU - Suspicious Computer Account Name Change - Rule", "ESCU - Suspicious Kerberos Service Ticket Request - Rule", "ESCU - Suspicious Ticket Granting Ticket Request - Rule", "ESCU - Unusual Number of Computer Service Tickets Requested - Rule", "ESCU - Unusual Number of Remote Endpoint Authentication Events - Rule", "ESCU - Windows Administrative Shares Accessed On Multiple Hosts - Rule", "ESCU - Windows Admon Default Group Policy Object Modified - Rule", "ESCU - Windows Admon Group Policy Object Created - Rule", "ESCU - Windows Default Group Policy Object Modified - Rule", "ESCU - Windows Default Group Policy Object Modified with GPME - Rule", "ESCU - Windows DnsAdmins New Member Added - Rule", "ESCU - Windows Domain Admin Impersonation Indicator - Rule", "ESCU - Windows File Share Discovery With Powerview - Rule", "ESCU - Windows Findstr GPP Discovery - Rule", "ESCU - Windows Group Policy Object Created - Rule", "ESCU - Windows Large Number of Computer Service Tickets Requested - Rule", "ESCU - Windows Local Administrator Credential Stuffing - Rule", "ESCU - Windows PowerSploit GPP Discovery - Rule", "ESCU - Windows PowerView AD Access Control List Enumeration - Rule", "ESCU - Windows Rapid Authentication On Multiple Hosts - Rule", "ESCU - Windows Special Privileged Logon On Multiple Hosts - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Active Directory Privilege Escalation Identified", "source": "endpoint", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Policy Modification"}]}}, {"name": "Kerberos Service Ticket Request Using RC4 Encryption", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Golden Ticket"}]}}, {"name": "Rubeus Command Line Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Ticket"}, {"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}, {"mitre_attack_technique": "AS-REP Roasting"}]}}, {"name": "ServicePrincipalNames Discovery with PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "ServicePrincipalNames Discovery with SetSPN", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "Suspicious Computer Account Name Change", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Domain Accounts"}]}}, {"name": "Suspicious Kerberos Service Ticket Request", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Domain Accounts"}]}}, {"name": "Suspicious Ticket Granting Ticket Request", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Domain Accounts"}]}}, {"name": "Unusual Number of Computer Service Tickets Requested", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Unusual Number of Remote Endpoint Authentication Events", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Windows Administrative Shares Accessed On Multiple Hosts", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Network Share Discovery"}]}}, {"name": "Windows Admon Default Group Policy Object Modified", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}]}}, {"name": "Windows Admon Group Policy Object Created", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}]}}, {"name": "Windows Default Group Policy Object Modified", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}]}}, {"name": "Windows Default Group Policy Object Modified with GPME", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}]}}, {"name": "Windows DnsAdmins New Member Added", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Windows Domain Admin Impersonation Indicator", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}}, {"name": "Windows File Share Discovery With Powerview", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Network Share Discovery"}]}}, {"name": "Windows Findstr GPP Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unsecured Credentials"}, {"mitre_attack_technique": "Group Policy Preferences"}]}}, {"name": "Windows Group Policy Object Created", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}, {"mitre_attack_technique": "Domain Accounts"}]}}, {"name": "Windows Large Number of Computer Service Tickets Requested", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Network Share Discovery"}, {"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Windows Local Administrator Credential Stuffing", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Credential Stuffing"}]}}, {"name": "Windows PowerSploit GPP Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unsecured Credentials"}, {"mitre_attack_technique": "Group Policy Preferences"}]}}, {"name": "Windows PowerView AD Access Control List Enumeration", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Accounts"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}}, {"name": "Windows Rapid Authentication On Multiple Hosts", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}]}}, {"name": "Windows Special Privileged Logon On Multiple Hosts", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Network Share Discovery"}]}}]}, {"name": "Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360", "author": "Michael Haag, Splunk", "date": "2023-08-23", "version": 1, "id": "e33e2e38-f9c2-432d-8be6-bc67b92aa82e", "description": "In July 2023, a significant vulnerability, CVE-2023-29298, affecting Adobe ColdFusion was uncovered by Rapid7, shedding light on an access control bypass mechanism. This vulnerability allows attackers to access sensitive ColdFusion Administrator endpoints by exploiting a flaw in the URL path validation. Disturbingly, this flaw can be chained with another critical vulnerability, CVE-2023-26360, which has been actively exploited. The latter enables unauthorized arbitrary code execution and file reading. Adobe has promptly addressed these vulnerabilities, but the intricacies and potential ramifications of their combination underscore the importance of immediate action by organizations. With active exploitation in the wild and the ability to bypass established security measures, the situation is alarming. Organizations are urged to apply the updates provided by Adobe immediately, considering the active threat landscape and the severe implications of these chained vulnerabilities.", "narrative": "Adobe ColdFusion, a prominent application server, has been thrust into the cybersecurity spotlight due to two intertwined vulnerabilities. The first, CVE-2023-29298, identified by Rapid7 in July 2023, pertains to an access control bypass in ColdFusion's security mechanisms. This flaw allows attackers to access protected ColdFusion Administrator endpoints simply by manipulating the URL path, specifically by inserting an additional forward slash.\\ Compounding the threat is the revelation that CVE-2023-29298 can be chained with CVE-2023-26360, another severe ColdFusion vulnerability. This latter vulnerability, which has seen active exploitation, permits unauthorized attackers to execute arbitrary code or read arbitrary files on the affected system. In practice, an attacker could exploit the access control bypass to access sensitive ColdFusion endpoints and subsequently exploit the arbitrary code execution vulnerability, broadening their control and access over the targeted system. \\ The consequences of these vulnerabilities are manifold. Attackers can potentially login to the ColdFusion Administrator with known credentials, bruteforce their way in, leak sensitive information, or exploit other vulnerabilities in the exposed CFM and CFC files. This combination of vulnerabilities significantly heightens the risk profile for organizations using the affected versions of Adobe ColdFusion. \\ Addressing the urgency, Adobe released fixes for these vulnerabilities in July 2023, urging organizations to update to ColdFusion 2023 GA build, ColdFusion 2021 Update 7, and ColdFusion 2018 Update 17. However, Rapid7's disclosure highlights a potential incomplete fix, suggesting that organizations should remain vigilant and proactive in their security measures. \\\nIn conclusion, the discovery of these vulnerabilities and their potential to be exploited in tandem presents a significant security challenge. Organizations using Adobe ColdFusion must prioritize the application of security updates, monitor their systems closely for signs of intrusion, and remain updated on any further developments related to these vulnerabilities.", "references": ["https://helpx.adobe.com/security/products/coldfusion/apsb23-25.html", "https://twitter.com/stephenfewer/status/1678881017526886400?s=20", "https://www.rapid7.com/blog/post/2023/07/11/cve-2023-29298-adobe-coldfusion-access-control-bypass", "https://www.bleepingcomputer.com/news/security/cisa-warns-of-adobe-coldfusion-bug-exploited-as-a-zero-day/"], "tags": {"name": "Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360", "analytic_story": "Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - Adobe ColdFusion Access Control Bypass - Rule", "ESCU - Adobe ColdFusion Unauthenticated Arbitrary File Read - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Adobe ColdFusion Access Control Bypass", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}, {"name": "Adobe ColdFusion Unauthenticated Arbitrary File Read", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}]}, {"name": "AgentTesla", "author": "Teoderick Contreras, Splunk", "date": "2022-04-12", "version": 1, "id": "9bb6077a-843e-418b-b134-c57ef997103c", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the AgentTesla malware including .chm application child process, ftp/smtp connection, persistence and many more. AgentTesla is one of the advanced remote access trojans (RAT) that are capable of stealing sensitive information from the infected or targeted host machine. It can collect various types of data, including browser profile information, keystrokes, capture screenshots and vpn credentials. AgentTesla has been active malware since 2014 and often delivered as a malicious attachment in phishing emails.It is also the top malware in 2021 based on the CISA report.", "narrative": "Adversaries or threat actor may use this malware to maximize the impact of infection on the target organization in operations where network wide availability interruption is the goal.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla", "https://cert.gov.ua/article/861292", "https://www.cisa.gov/uscert/ncas/alerts/aa22-216a", "https://www.joesandbox.com/analysis/702680/0/html"], "tags": {"name": "AgentTesla", "analytic_story": "AgentTesla", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.001", "mitre_attack_technique": "Compiled HTML File", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "APT41", "Dark Caracal", "OilRig", "Silence"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1014", "mitre_attack_technique": "Rootkit", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT41", "Rocke", "TeamTNT", "Winnti Group"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1071.003", "mitre_attack_technique": "Mail Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT28", "APT32", "Kimsuky", "SilverTerrier", "Turla"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Magic Hound", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Defense Evasion", "Execution", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command And Control", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - Detect HTML Help Spawn Child Process - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Application Drop Executable - Rule", "ESCU - Office Application Spawn rundll32 process - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning CertUtil - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Driver Loaded Path - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Driver Load Non-Standard Path - Rule", "ESCU - Windows Drivers Loaded by Signature - Rule", "ESCU - Windows File Transfer Protocol In Non-Common Process Path - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Mail Protocol In Non-Common Process Path - Rule", "ESCU - Windows Multi hop Proxy TOR Website Query - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Add or Set Windows Defender Exclusion", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Detect HTML Help Spawn Child Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}}, {"name": "Disabling Remote User Account Control", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Excessive Usage Of Taskkill", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}}, {"name": "Office Application Drop Executable", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Application Spawn rundll32 process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning CertUtil", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Suspicious Driver Loaded Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Windows Driver Load Non-Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rootkit"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "Windows Drivers Loaded by Signature", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rootkit"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "Windows File Transfer Protocol In Non-Common Process Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Mail Protocols"}, {"mitre_attack_technique": "Application Layer Protocol"}]}}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Malicious Link"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "Windows Mail Protocol In Non-Common Process Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Mail Protocols"}, {"mitre_attack_technique": "Application Layer Protocol"}]}}, {"name": "Windows Multi hop Proxy TOR Website Query", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Mail Protocols"}, {"mitre_attack_technique": "Application Layer Protocol"}]}}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}]}, {"name": "Amadey", "author": "Teoderick Contreras, Splunk", "date": "2023-06-16", "version": 1, "id": "a919a01b-3ea5-4ed4-9cbe-11cd8b64c36c", "description": "This analytic story contains searches that aims to detect activities related to Amadey, a type of malware that primarily operates as a banking Trojan. It is designed to steal sensitive information such as login credentials, credit card details, and other financial data from infected systems. The malware typically targets Windows-based computers.", "narrative": "Amadey is one of the active trojans that are capable of stealing sensitive information via its from the infected or targeted host machine. It can collect various types of data, including browser profile information, clipboard data, capture screenshots and system information. Adversaries or threat actors may use this malware to maximize the impact of infection on the target organization in operations where data collection and exfiltration is the goal. The primary function is to steal information and further distribute malware. It aims to extract a variety of information from infected devices and attempts to evade the detection of security measures by reducing the volume of data exfiltration compared to that seen in other malicious instances.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey", "https://darktrace.com/blog/amadey-info-stealer-exploiting-n-day-vulnerabilities"], "tags": {"name": "Amadey", "analytic_story": "Amadey", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1566.002", "mitre_attack_technique": "Spearphishing Link", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1036.008", "mitre_attack_technique": "Masquerade File Type", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Volt Typhoon"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "Volt Typhoon", "ZIRCONIUM"]}, {"mitre_attack_id": "T1222.001", "mitre_attack_technique": "Windows File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}], "mitre_attack_tactics": ["Defense Evasion", "Discovery", "Execution", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Detect Outlook exe writing a zip file - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Process Creating LNK file in Suspicious Location - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Process Executed From Container File - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Credentials from Password Stores Chrome Extension Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows Files and Dirs Access Rights Modification Via Icacls - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Powershell RemoteSigned File - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Detect Outlook exe writing a zip file", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Process Creating LNK file in Suspicious Location", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Link"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Suspicious Process Executed From Container File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Malicious File"}, {"mitre_attack_technique": "Masquerade File Type"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Windows Credentials from Password Stores Chrome Extension Access", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows Files and Dirs Access Rights Modification Via Icacls", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows File and Directory Permissions Modification"}, {"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Malicious Link"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "Windows Powershell RemoteSigned File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}]}, {"name": "Apache Struts Vulnerability", "author": "Rico Valdez, Splunk", "date": "2018-12-06", "version": 1, "id": "2dcfd6a2-e7d2-4873-b6ba-adaf819d2a1e", "description": "Detect and investigate activities--such as unusually long `Content-Type` length, suspicious java classes and web servers executing suspicious processes--consistent with attempts to exploit Apache Struts vulnerabilities.", "narrative": "In March of 2017, a remote code-execution vulnerability in the Jakarta Multipart parser in Apache Struts, a widely used open-source framework for creating Java web applications, was disclosed and assigned to CVE-2017-5638. About two months later, hackers exploited the flaw to carry out the world's <a href=https://www.usatoday.com/story/tech/2017/09/07/nations-biggest-hacks-and-data-breaches-millions/644311001/> 5th largest data breach</a>. The target, credit giant Equifax, <a href=https://money.cnn.com/2017/09/16/technology/equifax-breach-security-hole/index.html>told investigators</a> that it had become aware of the vulnerability two months before the attack. \\\nThe exploit involved manipulating the `Content-Type HTTP` header to execute commands embedded in the header.\\\nThis Analytic Story contains two different searches that help to identify activity that may be related to this issue. The first search looks for characteristics of the `Content-Type` header consistent with attempts to exploit the vulnerability. This should be a relatively pertinent indicator, as the `Content-Type` header is generally consistent and does not have a large degree of variation.\\\nThe second search looks for the execution of various commands typically entered on the command shell when an attacker first lands on a system. These commands are not generally executed on web servers during the course of day-to-day operation, but they may be used when the system is undergoing maintenance or troubleshooting.\\\nFirst, it is helpful is to understand how often the notable event is generated, as well as the commonalities in some of these events. This may help determine whether this is a common occurrence that is of a lesser concern or a rare event that may require more extensive investigation. It can also help to understand whether the issue is restricted to a single user or system or is broader in scope.\\\nWhen looking at the target of the behavior illustrated by the event, you should note the sensitivity of the user and or/system to help determine the potential impact. It is also helpful to see what other events involving the target have occurred in the recent past. This can help tie different events together and give further situational awareness regarding the target.\\\nVarious types of information for external systems should be reviewed and (potentially) collected if the incident is, indeed, judged to be malicious. Information like this can be useful in generating your own threat intelligence to create alerts in the future.\\\nLooking at the country, responsible party, and fully qualified domain names associated with the external IP address--as well as the registration information associated with those domain names, if they are frequently visited by others--can help you answer the question of \"who,\" in regard to the external system. Answering that can help qualify the event and may serve useful for tracking. In addition, there are various sources that can provide some reputation information on the IP address or domain name, which can assist in determining if the event is malicious in nature. Finally, determining whether or not there are other events associated with the IP address may help connect some dots or show other events that should be brought into scope.\\\nGathering various data elements on the system of interest can sometimes help quickly determine that something suspicious may be happening. Some of these items include determining who else may have recently logged into the system, whether any unusual scheduled tasks exist, whether the system is communicating on suspicious ports, whether there are modifications to sensitive registry keys, and whether there are any known vulnerabilities on the system. This information can often highlight other activity commonly seen in attack scenarios or give more information about how the system may have been targeted.\\\nhen a specific service or application is targeted, it is often helpful to know the associated version to help determine whether or not it is vulnerable to a specific exploit.\\\nhen it is suspected there is an attack targeting a web server, it is helpful to look at some of the behavior of the web service to see if there is evidence that the service has been compromised. Some indications of this might be network connections to external resources, the web service spawning child processes that are not associated with typical behavior, and whether the service wrote any files that might be malicious in nature.\\\nIn the event that a suspicious file is found, we can review more information about it to help determine if it is, in fact, malicious. Identifying the file type, any processes that have the file open, what processes created and/or modified the file, and the number of systems that may have this file can help to determine if the file is malicious. Also, determining the file hash and checking it against reputation sources, such as VirusTotal, can sometimes quickly help determine whether it is malicious in nature.\\\nOften, a simple inspection of a suspect process name and path can tell you if the system has been compromised. For example, if `svchost.exe` is found running from a location other than `C:\\Windows\\System32`, it is likely something malicious designed to hide in plain sight when simply reviewing process names. Similarly, if the process itself seems legitimate, but the parent process is running from the temporary browser cache, there may be activity initiated via a compromised website the user visited.\\\nIt can also be very helpful to examine various behaviors of the process of interest or the parent of the process that is of interest. For example, if it turns out that the process of interest is malicious, it would be good to see if the parent to that process spawned other processes that might also be worth further scrutiny. If a process is suspect, reviewing the network connections made around the time of the event and/or if the process spawned any child processes could be helpful in determining whether it is malicious or executing a malicious script.", "references": ["https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.2/dev/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf"], "tags": {"name": "Apache Struts Vulnerability", "analytic_story": "Apache Struts Vulnerability", "category": ["Vulnerability"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "FIN13", "FIN8", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TA2541", "TeamTNT", "Tropic Trooper", "Turla", "Volt Typhoon", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}], "mitre_attack_tactics": ["Discovery"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Suspicious Java Classes - Rule", "ESCU - Web Servers Executing Suspicious Processes - Rule", "ESCU - Unusually Long Content-Type Length - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Investigate Suspicious Strings in HTTP Header - Response Task", "ESCU - Investigate Web POSTs From src - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Suspicious Java Classes", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Web Servers Executing Suspicious Processes", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Information Discovery"}]}}, {"name": "Unusually Long Content-Type Length", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "Asset Tracking", "author": "Bhavin Patel, Splunk", "date": "2017-09-13", "version": 1, "id": "91c676cf-0b23-438d-abee-f6335e1fce77", "description": "Keep a careful inventory of every asset on your network to make it easier to detect rogue devices. Unauthorized/unmanaged devices could be an indication of malicious behavior that should be investigated further.", "narrative": "This Analytic Story is designed to help you develop a better understanding of what authorized and unauthorized devices are part of your enterprise. This story can help you better categorize and classify assets, providing critical business context and awareness of their assets during an incident. Information derived from this Analytic Story can be used to better inform and support other analytic stories. For successful detection, you will need to leverage the Assets and Identity Framework from Enterprise Security to populate your known assets.", "references": ["https://www.cisecurity.org/controls/inventory-of-authorized-and-unauthorized-devices/"], "tags": {"name": "Asset Tracking", "analytic_story": "Asset Tracking", "category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Network_Sessions"], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Unauthorized Assets by MAC address - Rule"], "investigation_names": ["ESCU - Get First Occurrence and Last Occurrence of a MAC Address - Response Task", "ESCU - Get Notable History - Response Task"], "baseline_names": ["ESCU - Count of assets by category"], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect Unauthorized Assets by MAC address", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "AsyncRAT", "author": "Teoderick Contreras, Splunk", "date": "2023-01-24", "version": 1, "id": "d7053072-7dd2-4874-8314-bfcbc99978a4", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the AsyncRAT malware including mshta application child process, bat loader execution, persistence and many more. AsyncRAT is an open source remote administration tool released last 2019. It's designed to remotely control computers via an encrypted connection, with view screen, keylogger, chat communication, persistence, defense evasion (e.g. Windows defender), DOS attack and many more.", "narrative": "although this project contains legal disclaimer, Adversaries or threat actors are popularly used in some attacks. This malware recently came across a Fully undetected batch script loader that downloads and loads the AsyncRAT from its C2 server. The batch script is obfuscated and will load a powershell loader that will decode and decrypt (AES256) the actual AsyncRAT malware.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat", "https://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader"], "tags": {"name": "AsyncRAT", "analytic_story": "AsyncRAT", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1055.001", "mitre_attack_technique": "Dynamic-link Library Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["BackdoorDiplomacy", "Lazarus Group", "Leviathan", "Putter Panda", "TA505", "Tropic Trooper", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1059.005", "mitre_attack_technique": "Visual Basic", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT33", "APT37", "APT38", "APT39", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Earth Lusca", "FIN13", "FIN4", "FIN7", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "Transparent Tribe", "Turla", "WIRTE", "Windshift"]}, {"mitre_attack_id": "T1134.002", "mitre_attack_technique": "Create Process with Token", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Lazarus Group", "Turla"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Initial Access", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Execution of File with Multiple Extensions - Rule", "ESCU - Loading Of Dynwrapx Module - Rule", "ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Powershell Processing Stream Of Data - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Vbscript Execution Using Wscript App - Rule", "ESCU - Windows Access Token Manipulation SeDebugPrivilege - Rule", "ESCU - Windows Powershell Cryptography Namespace - Rule", "ESCU - Windows Scheduled Task with Highest Privileges - Rule", "ESCU - Windows Spearphishing Attachment Connect To None MS Office Domain - Rule", "ESCU - Windows Spearphishing Attachment Onenote Spawn Mshta - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Execution of File with Multiple Extensions", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Loading Of Dynwrapx Module", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Dynamic-link Library Injection"}]}}, {"name": "Malicious PowerShell Process - Execution Policy Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Processing Stream Of Data", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Suspicious Copy on System32", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "Masquerading"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Vbscript Execution Using Wscript App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows Access Token Manipulation SeDebugPrivilege", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create Process with Token"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}, {"name": "Windows Powershell Cryptography Namespace", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows Scheduled Task with Highest Privileges", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Windows Spearphishing Attachment Connect To None MS Office Domain", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Windows Spearphishing Attachment Onenote Spawn Mshta", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}]}, {"name": "Atlassian Confluence Server and Data Center CVE-2022-26134", "author": "Michael Haag, Splunk", "date": "2022-06-03", "version": 1, "id": "91623a50-41fa-4c4e-8637-c239b80ff439", "description": "On June 2, security researchers at Volexity published a blog outlining the discovery of an unauthenticated remote code execution zero day vulnerability (CVE-2022-26134) being actively exploited in Atlassian Confluence Server and Data Center instances in the wild. Atlassian released a fix within 24 hours of the blog''s release.", "narrative": "Atlassian describes the vulnerability as an Object-Graph Navigation Language (OGNL) injection allowing an unauthenticated user to execute arbitrary code on a Confluence Server or Data Server instance. Volexity did not release proof-of-concept (POC) exploit code, but researchers there have observed coordinated, widespread exploitation. Volexity first discovered the vulnerability over the weekend on two Internet-facing web servers running Confluence Server software. The investigation was due to suspicious activity on the hosts, including JSP webshells that were written to disk.", "references": ["https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html", "https://www.splunk.com/en_us/blog/security/atlassian-confluence-vulnerability-cve-2022-26134.html", "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", "https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/"], "tags": {"name": "Atlassian Confluence Server and Data Center CVE-2022-26134", "analytic_story": "Atlassian Confluence Server and Data Center CVE-2022-26134", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Application Security", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Initial Access", "Persistence"], "datamodels": ["Endpoint", "Web"], "kill_chain_phases": ["Delivery", "Installation"]}, "detection_names": ["ESCU - Java Writing JSP File - Rule", "ESCU - Confluence Unauthenticated Remote Code Execution CVE-2022-26134 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Java Writing JSP File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Confluence Unauthenticated Remote Code Execution CVE-2022-26134", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}]}, {"name": "AwfulShred", "author": "Teoderick Contreras, Splunk", "date": "2023-01-24", "version": 1, "id": "e36935ce-f48c-4fb2-8109-7e80c1cdc9e2", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the AwfulShred malware including wiping files, process kill, system reboot via system request, shred,  and service stops.", "narrative": "AwfulShred is a malicious linux shell script designed to corrupt or wipe the linux targeted system. It uses shred command to overwrite files and to increase data damage. This obfuscated malicious script can also disable and corrupts apache, HTTP and SSH services, deactivate swap files, clear bash history and finally reboot the system.", "references": ["https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", "https://cert.gov.ua/article/3718487"], "tags": {"name": "AwfulShred", "analytic_story": "AwfulShred", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TEMP.Veles", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1200", "mitre_attack_technique": "Hardware Additions", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["DarkVishnya"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1053.006", "mitre_attack_technique": "Systemd Timers", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1059.004", "mitre_attack_technique": "Unix Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT41", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Impact", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Linux Data Destruction Command - Rule", "ESCU - Linux Deleting Critical Directory Using RM Command - Rule", "ESCU - Linux Deletion Of Services - Rule", "ESCU - Linux Disable Services - Rule", "ESCU - Linux Hardware Addition SwapOff - Rule", "ESCU - Linux Impair Defenses Process Kill - Rule", "ESCU - Linux Indicator Removal Clear Cache - Rule", "ESCU - Linux Indicator Removal Service File Deletion - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Shred Overwrite Command - Rule", "ESCU - Linux Stop Services - Rule", "ESCU - Linux System Reboot Via System Request Key - Rule", "ESCU - Linux Unix Shell Enable All SysRq Functions - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux Data Destruction Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Linux Deleting Critical Directory Using RM Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Linux Deletion Of Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Linux Disable Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Linux Hardware Addition SwapOff", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hardware Additions"}]}}, {"name": "Linux Impair Defenses Process Kill", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Linux Indicator Removal Clear Cache", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Linux Indicator Removal Service File Deletion", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Shred Overwrite Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Linux Stop Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Linux System Reboot Via System Request Key", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}}, {"name": "Linux Unix Shell Enable All SysRq Functions", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unix Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}]}, {"name": "AWS Cross Account Activity", "author": "David Dorsey, Splunk", "date": "2018-06-04", "version": 1, "id": "2f2f610a-d64d-48c2-b57c-967a2b49ab5a", "description": "Track when a user assumes an IAM role in another AWS account to obtain cross-account access to services and resources in that account. Accessing new roles could be an indication of malicious activity.", "narrative": "Amazon Web Services (AWS) admins manage access to AWS resources and services across the enterprise using AWS's Identity and Access Management (IAM) functionality. IAM provides the ability to create and manage AWS users, groups, and roles-each with their own unique set of privileges and defined access to specific resources (such as EC2 instances, the AWS Management Console, API, or the command-line interface). Unlike conventional (human) users, IAM roles are assumable by anyone in the organization. They provide users with dynamically created temporary security credentials that expire within a set time period.\\\nHerein lies the rub. In between the time between when the temporary credentials are issued and when they expire is a period of opportunity, where a user could leverage the temporary credentials to wreak havoc-spin up or remove instances, create new users, elevate privileges, and other malicious activities-throughout the environment.\\\nThis Analytic Story includes searches that will help you monitor your AWS CloudTrail logs for evidence of suspicious cross-account activity.  For example, while accessing multiple AWS accounts and roles may be perfectly valid behavior, it may be suspicious when an account requests privileges of an account it has not accessed in the past. After identifying suspicious activities, you can use the provided investigative searches to help you probe more deeply.", "references": ["https://aws.amazon.com/blogs/security/aws-cloudtrail-now-tracks-cross-account-activity-to-its-origin/"], "tags": {"name": "AWS Cross Account Activity", "analytic_story": "AWS Cross Account Activity", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": [], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - aws detect attach to role policy - Rule", "ESCU - aws detect permanent key creation - Rule", "ESCU - aws detect role creation - Rule", "ESCU - aws detect sts assume role abuse - Rule", "ESCU - aws detect sts get session token abuse - Rule"], "investigation_names": ["ESCU - AWS Investigate User Activities By AccessKeyId - Response Task", "ESCU - Get Notable History - Response Task"], "baseline_names": ["ESCU - Previously Seen AWS Cross Account Activity"], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "aws detect attach to role policy", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "aws detect permanent key creation", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "aws detect role creation", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "aws detect sts assume role abuse", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "aws detect sts get session token abuse", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Use Alternate Authentication Material"}]}}]}, {"name": "AWS Defense Evasion", "author": "Gowthamaraj Rajendran, Splunk", "date": "2022-07-15", "version": 1, "id": "4e00b690-293f-434d-a9d8-bcfb2ea5fff9", "description": "Identify activity and techniques associated with the Evasion of Defenses within AWS, such as Disabling CloudTrail, Deleting CloudTrail and many others.", "narrative": "Adversaries employ a variety of techniques in order to avoid detection and operate without barriers. This often involves modifying the configuration of security monitoring tools to get around them or explicitly disabling them to prevent them from running. This Analytic Story includes analytics that identify activity consistent with adversaries attempting to disable various security mechanisms on AWS. Such activity may involve deleting the CloudTrail logs , as this is where all the AWS logs get stored or explicitly changing the retention policy of S3 buckets. Other times, adversaries attempt deletion of a specified AWS CloudWatch log group.", "references": ["https://attack.mitre.org/tactics/TA0005/"], "tags": {"name": "AWS Defense Evasion", "analytic_story": "AWS Defense Evasion", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.008", "mitre_attack_technique": "Disable or Modify Cloud Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Web"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - ASL AWS Defense Evasion Delete Cloudtrail - Rule", "ESCU - ASL AWS Defense Evasion Delete CloudWatch Log Group - Rule", "ESCU - ASL AWS Defense Evasion Impair Security Services - Rule", "ESCU - AWS Defense Evasion Delete Cloudtrail - Rule", "ESCU - AWS Defense Evasion Delete CloudWatch Log Group - Rule", "ESCU - AWS Defense Evasion Impair Security Services - Rule", "ESCU - AWS Defense Evasion PutBucketLifecycle - Rule", "ESCU - AWS Defense Evasion Stop Logging Cloudtrail - Rule", "ESCU - AWS Defense Evasion Update Cloudtrail - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Gowthamaraj Rajendran", "detections": [{"name": "ASL AWS Defense Evasion Delete Cloudtrail", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Cloud Logs"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "ASL AWS Defense Evasion Delete CloudWatch Log Group", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Disable or Modify Cloud Logs"}]}}, {"name": "ASL AWS Defense Evasion Impair Security Services", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Cloud Logs"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "AWS Defense Evasion Delete Cloudtrail", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Cloud Logs"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "AWS Defense Evasion Delete CloudWatch Log Group", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Disable or Modify Cloud Logs"}]}}, {"name": "AWS Defense Evasion Impair Security Services", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Cloud Logs"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "AWS Defense Evasion PutBucketLifecycle", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Cloud Logs"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "AWS Defense Evasion Stop Logging Cloudtrail", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Cloud Logs"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "AWS Defense Evasion Update Cloudtrail", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Disable or Modify Cloud Logs"}]}}]}, {"name": "AWS IAM Privilege Escalation", "author": "Bhavin Patel, Splunk", "date": "2021-03-08", "version": 1, "id": "ced74200-8465-4bc3-bd2c-22782eec6750", "description": "This analytic story contains detections that query your AWS Cloudtrail for activities related to privilege escalation.", "narrative": "Amazon Web Services provides a neat feature called Identity and Access Management (IAM) that enables organizations to manage various AWS services and resources in a secure way. All IAM users have roles, groups and policies associated with them which governs and sets permissions to allow a user to access specific restrictions.\\\nHowever, if these IAM policies are misconfigured and have specific combinations of weak permissions; it can allow attackers to escalate their privileges and further compromise the organization. Rhino Security Labs have published comprehensive blogs detailing various AWS Escalation methods. By using this as an inspiration, Splunks research team wants to highlight how these attack vectors look in AWS Cloudtrail logs and provide you with detection queries to uncover these potentially malicious events via this Analytic Story. ", "references": ["https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", "https://www.cyberark.com/resources/threat-research-blog/the-cloud-shadow-admin-threat-10-permissions-to-protect", "https://labs.bishopfox.com/tech-blog/privilege-escalation-in-aws"], "tags": {"name": "AWS IAM Privilege Escalation", "analytic_story": "AWS IAM Privilege Escalation", "category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}, {"mitre_attack_id": "T1580", "mitre_attack_technique": "Cloud Infrastructure Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1069.003", "mitre_attack_technique": "Cloud Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "FIN13", "TA505"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Discovery", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": [], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - ASL AWS CreateAccessKey - Rule", "ESCU - ASL AWS IAM Delete Policy - Rule", "ESCU - ASL AWS Password Policy Changes - Rule", "ESCU - AWS Create Policy Version to allow all resources - Rule", "ESCU - AWS CreateAccessKey - Rule", "ESCU - AWS CreateLoginProfile - Rule", "ESCU - AWS IAM Assume Role Policy Brute Force - Rule", "ESCU - AWS IAM Delete Policy - Rule", "ESCU - AWS IAM Failure Group Deletion - Rule", "ESCU - AWS IAM Successful Group Deletion - Rule", "ESCU - AWS Password Policy Changes - Rule", "ESCU - AWS SetDefaultPolicyVersion - Rule", "ESCU - AWS UpdateLoginProfile - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "ASL AWS CreateAccessKey", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "ASL AWS IAM Delete Policy", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "ASL AWS Password Policy Changes", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Policy Discovery"}]}}, {"name": "AWS Create Policy Version to allow all resources", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "AWS CreateAccessKey", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "AWS CreateLoginProfile", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "AWS IAM Assume Role Policy Brute Force", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Infrastructure Discovery"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "AWS IAM Delete Policy", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "AWS IAM Failure Group Deletion", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "AWS IAM Successful Group Deletion", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Groups"}, {"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}}, {"name": "AWS Password Policy Changes", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Policy Discovery"}]}}, {"name": "AWS SetDefaultPolicyVersion", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "AWS UpdateLoginProfile", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}}]}, {"name": "AWS Identity and Access Management Account Takeover", "author": "Gowthamaraj Rajendran, Bhavin Patel,  Splunk", "date": "2022-08-19", "version": 2, "id": "4210b690-293f-411d-a9d8-bcfb2ea5fff9", "description": "Identify activity and techniques associated with accessing credential files from AWS resources, monitor unusual authentication related activities to the AWS Console and other services such as RDS.", "narrative": "Amazon Web Services provides a web service known as Identity and Access Management(IAM) for controlling and securly managing various AWS resources. This is basically the foundation of how users in AWS interact with various resources/services in cloud and vice versa. Account Takeover (ATO) is an attack whereby cybercriminals gain unauthorized access to online accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. Adversaries employ a variety of techniques to steal AWS Cloud credentials like account names, passwords and keys and takeover legitmate user accounts. Usage of legitimate keys will assist the attackers to gain access to other sensitive system and they can also mimic legitimate behaviour making them harder to be detected. Such activity may involve multiple failed login to the console, new console logins and password reset activities.", "references": ["https://attack.mitre.org/tactics/TA0006/"], "tags": {"name": "AWS Identity and Access Management Account Takeover", "analytic_story": "AWS Identity and Access Management Account Takeover", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1556.006", "mitre_attack_technique": "Multi-Factor Authentication", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.001", "mitre_attack_technique": "Password Guessing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}, {"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Discovery", "Initial Access", "Persistence", "Privilege Escalation", "Resource Development"], "datamodels": ["Authentication"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"]}, "detection_names": ["ESCU - ASL AWS Multi-Factor Authentication Disabled - Rule", "ESCU - ASL AWS New MFA Method Registered For User - Rule", "ESCU - AWS Console Login Failed During MFA Challenge - Rule", "ESCU - AWS Credential Access Failed Login - Rule", "ESCU - AWS Credential Access GetPasswordData - Rule", "ESCU - AWS Credential Access RDS Password reset - Rule", "ESCU - AWS High Number Of Failed Authentications For User - Rule", "ESCU - AWS High Number Of Failed Authentications From Ip - Rule", "ESCU - AWS Multi-Factor Authentication Disabled - Rule", "ESCU - AWS Multiple Failed MFA Requests For User - Rule", "ESCU - AWS Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - AWS New MFA Method Registered For User - Rule", "ESCU - AWS Successful Single-Factor Authentication - Rule", "ESCU - AWS Unusual Number of Failed Authentications From Ip - Rule", "ESCU - Detect AWS Console Login by New User - Rule", "ESCU - Detect AWS Console Login by User from New City - Rule", "ESCU - Detect AWS Console Login by User from New Country - Rule", "ESCU - Detect AWS Console Login by User from New Region - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Bhavin Patel,  Splunk", "author_name": "Gowthamaraj Rajendran", "detections": [{"name": "ASL AWS Multi-Factor Authentication Disabled", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}, {"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}}, {"name": "ASL AWS New MFA Method Registered For User", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}}, {"name": "AWS Console Login Failed During MFA Challenge", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}}, {"name": "AWS Credential Access Failed Login", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}]}}, {"name": "AWS Credential Access GetPasswordData", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}]}}, {"name": "AWS Credential Access RDS Password reset", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "AWS High Number Of Failed Authentications For User", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Policy Discovery"}]}}, {"name": "AWS High Number Of Failed Authentications From Ip", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}}, {"name": "AWS Multi-Factor Authentication Disabled", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}, {"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}}, {"name": "AWS Multiple Failed MFA Requests For User", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}}, {"name": "AWS Multiple Users Failing To Authenticate From Ip", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}}, {"name": "AWS New MFA Method Registered For User", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}}, {"name": "AWS Successful Single-Factor Authentication", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}]}}, {"name": "AWS Unusual Number of Failed Authentications From Ip", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}}, {"name": "Detect AWS Console Login by New User", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unsecured Credentials"}]}}, {"name": "Detect AWS Console Login by User from New City", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "Detect AWS Console Login by User from New Country", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "Detect AWS Console Login by User from New Region", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}]}, {"name": "AWS Network ACL Activity", "author": "Bhavin Patel, Splunk", "date": "2018-05-21", "version": 2, "id": "2e8948a5-5239-406b-b56b-6c50ff268af4", "description": "Monitor your AWS network infrastructure for bad configurations and malicious activity. Investigative searches help you probe deeper, when the facts warrant it.", "narrative": "AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational/risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. It is crucial for a company to monitor events and actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs to ensure that your servers are not vulnerable to attacks. This analytic story contains detection searches that leverage CloudTrail logs from AWS to check for bad configurations and malicious activity in your AWS network access controls.", "references": ["https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_NACLs.html", "https://aws.amazon.com/blogs/security/how-to-help-prepare-for-ddos-attacks-by-reducing-your-attack-surface/"], "tags": {"name": "AWS Network ACL Activity", "analytic_story": "AWS Network ACL Activity", "category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.007", "mitre_attack_technique": "Disable or Modify Cloud Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": [], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - AWS Network Access Control List Created with All Open Ports - Rule", "ESCU - AWS Network Access Control List Deleted - Rule", "ESCU - Detect Spike in blocked Outbound Traffic from your AWS - Rule", "ESCU - Detect Spike in Network ACL Activity - Rule"], "investigation_names": ["ESCU - AWS Investigate User Activities By ARN - Response Task", "ESCU - AWS Network ACL Details from ID - Response Task", "ESCU - AWS Network Interface details via resourceId - Response Task", "ESCU - Get All AWS Activity From IP Address - Response Task", "ESCU - Get DNS Server History for a host - Response Task", "ESCU - Get DNS traffic ratio - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Process Information For Port Activity - Response Task", "ESCU - Get Process Responsible For The DNS Traffic - Response Task"], "baseline_names": ["ESCU - Baseline of blocked outbound traffic from AWS", "ESCU - Baseline of Network ACL Activity by ARN"], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "AWS Network Access Control List Created with All Open Ports", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "AWS Network Access Control List Deleted", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Detect Spike in blocked Outbound Traffic from your AWS", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Detect Spike in Network ACL Activity", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}]}}]}, {"name": "AWS Security Hub Alerts", "author": "Bhavin Patel, Splunk", "date": "2020-08-04", "version": 1, "id": "2f2f610a-d64d-48c2-b57c-96722b49ab5a", "description": "This story is focused around detecting Security Hub alerts generated from AWS", "narrative": "AWS Security Hub collects and consolidates findings from AWS security services enabled in your environment, such as intrusion detection findings from Amazon GuardDuty, vulnerability scans from Amazon Inspector, S3 bucket policy findings from Amazon Macie, publicly accessible and cross-account resources from IAM Access Analyzer, and resources lacking WAF coverage from AWS Firewall Manager.", "references": ["https://aws.amazon.com/security-hub/features/"], "tags": {"name": "AWS Security Hub Alerts", "analytic_story": "AWS Security Hub Alerts", "category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Spike in AWS Security Hub Alerts for EC2 Instance - Rule", "ESCU - Detect Spike in AWS Security Hub Alerts for User - Rule"], "investigation_names": ["ESCU - AWS Investigate User Activities By ARN - Response Task", "ESCU - Get EC2 Instance Details by instanceId - Response Task", "ESCU - Get EC2 Launch Details - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect Spike in AWS Security Hub Alerts for EC2 Instance", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Detect Spike in AWS Security Hub Alerts for User", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "AWS User Monitoring", "author": "Bhavin Patel, Splunk", "date": "2018-03-12", "version": 1, "id": "2e8948a5-5239-406b-b56b-6c50f1269af3", "description": "Detect and investigate dormant user accounts for your AWS environment that have become active again. Because inactive and ad-hoc accounts are common attack targets, it's critical to enable governance within your environment.", "narrative": "It seems obvious that it is critical to monitor and control the users who have access to your cloud infrastructure. Nevertheless, it's all too common for enterprises to lose track of ad-hoc accounts, leaving their servers vulnerable to attack. In fact, this was the very oversight that led to Tesla's cryptojacking attack in February, 2018.\\\nIn addition to compromising the security of your data, when bad actors leverage your compute resources, it can incur monumental costs, since you will be billed for any new EC2 instances and increased bandwidth usage. \\\nFortunately, you can leverage Amazon Web Services (AWS) CloudTrail--a tool that helps you enable governance, compliance, and risk auditing of your AWS account--to give you increased visibility into your user and resource activity by recording AWS Management Console actions and API calls. You can identify which users and accounts called AWS, the source IP address from which the calls were made, and when the calls occurred.\\\nThe detection searches in this Analytic Story are designed to help you uncover AWS API activities from users not listed in the identity table, as well as similar activities from disabled accounts.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf", "https://redlock.io/blog/cryptojacking-tesla"], "tags": {"name": "AWS User Monitoring", "analytic_story": "AWS User Monitoring", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1526", "mitre_attack_technique": "Cloud Service Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}], "mitre_attack_tactics": ["Defense Evasion", "Discovery", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": [], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - ASL AWS Excessive Security Scanning - Rule", "ESCU - AWS Excessive Security Scanning - Rule", "ESCU - Detect API activity from users without MFA - Rule", "ESCU - Detect AWS API Activities From Unapproved Accounts - Rule", "ESCU - Detect new API calls from user roles - Rule", "ESCU - Detect Spike in AWS API Activity - Rule", "ESCU - Detect Spike in Security Group Activity - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Investigate AWS User Activities by user field - Response Task"], "baseline_names": ["ESCU - Baseline of Security Group Activity by ARN", "ESCU - Create a list of approved AWS service accounts", "ESCU - Baseline of API Calls per User ARN", "ESCU - Previously seen API call per user roles in CloudTrail"], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "ASL AWS Excessive Security Scanning", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Service Discovery"}]}}, {"name": "AWS Excessive Security Scanning", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Service Discovery"}]}}, {"name": "Detect API activity from users without MFA", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Detect AWS API Activities From Unapproved Accounts", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}]}}, {"name": "Detect new API calls from user roles", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}]}}, {"name": "Detect Spike in AWS API Activity", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}]}}, {"name": "Detect Spike in Security Group Activity", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}]}}]}, {"name": "Azorult", "author": "Teoderick Contreras, Splunk", "date": "2022-06-09", "version": 1, "id": "efed5343-4ac2-42b1-a16d-da2428d0ce94", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Azorult malware including firewall modification, icacl execution, spawning more process, botnet c2 communication, defense evasion and etc. The AZORULT malware was first discovered in 2016 to be an information stealer that steals browsing history, cookies, ID/passwords, cryptocurrency information and more. It can also be a downloader of other malware. A variant of this malware was able to create a new, hidden administrator account on the machine to set a registry key to establish a Remote Desktop Protocol (RDP) connection. Exploit kits such as Fallout Exploit Kit (EK) and phishing mails with social engineering technique are one of the major infection vectors of the AZORult malware. The current malspam and phishing emails use fake product order requests, invoice documents and payment information requests. This Trojan-Spyware connects to Command And Control (C&C) servers of attacker to send and receive information.", "narrative": "Adversaries may use this technique to maximize the impact on the target organization in operations where network wide availability interruption is the goal.", "references": ["https://success.trendmicro.com/dcx/s/solution/000146108-azorult-malware-information?language=en_US&sfdcIFrameOrigin=null", "https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/"], "tags": {"name": "Azorult", "analytic_story": "Azorult", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "Dragonfly", "FIN13", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT", "Wizard Spider"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}, {"mitre_attack_id": "T1564.001", "mitre_attack_technique": "Hidden Files and Directories", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "FIN13", "HAFNIUM", "Lazarus Group", "LuminousMoth", "Mustang Panda", "Rocke", "Transparent Tribe", "Tropic Trooper"]}, {"mitre_attack_id": "T1564", "mitre_attack_technique": "Hide Artifacts", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1531", "mitre_attack_technique": "Account Access Removal", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1222.001", "mitre_attack_technique": "Windows File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "FIN13", "TA505"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Magic Hound", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1590.005", "mitre_attack_technique": "IP Addresses", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["Andariel", "HAFNIUM", "Magic Hound"]}, {"mitre_attack_id": "T1590", "mitre_attack_technique": "Gather Victim Network Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["HAFNIUM"]}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1219", "mitre_attack_technique": "Remote Access Software", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Carbanak", "Cobalt Group", "DarkVishnya", "Evilnum", "FIN7", "GOLD SOUTHFIELD", "Kimsuky", "MuddyWater", "Mustang Panda", "RTM", "Sandworm Team", "TeamTNT", "Thrip"]}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Defense Evasion", "Discovery", "Execution", "Impact", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule", "ESCU - Allow Operation with Consent Admin - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - CHCP Command Execution - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Create local admin accounts using net exe - Rule", "ESCU - Detect Use of cmd exe to Launch Script Interpreters - Rule", "ESCU - Disable Defender BlockAtFirstSeen Feature - Rule", "ESCU - Disable Defender Enhanced Notification - Rule", "ESCU - Disable Defender Spynet Reporting - Rule", "ESCU - Disable Defender Submit Samples Consent Feature - Rule", "ESCU - Disable Show Hidden Files - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Excessive Attempt To Disable Services - Rule", "ESCU - Excessive Usage Of Cacls App - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Excessive Usage Of SC Service Utility - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Firewall Allowed Program Enable - Rule", "ESCU - Hide User Account From Sign-In Screen - Rule", "ESCU - Hiding Files And Directories With Attrib exe - Rule", "ESCU - Icacls Deny Command - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Net - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning MSHTA - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Windows Application Layer Protocol RMS Radmin Tool Namedpipe - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows Defender Exclusion Registry Entry - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows Gather Victim Network Info Through Ip Check Web Services - Rule", "ESCU - Windows Impair Defense Add Xml Applocker Rules - Rule", "ESCU - Windows Impair Defense Deny Security Software With Applocker - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Modify Registry Disable Toast Notifications - Rule", "ESCU - Windows Modify Registry Disable Win Defender Raw Write Notif - Rule", "ESCU - Windows Modify Registry Disable Windows Security Center Notif - Rule", "ESCU - Windows Modify Registry Disabling WER Settings - Rule", "ESCU - Windows Modify Registry DisAllow Windows App - Rule", "ESCU - Windows Modify Registry Regedit Silent Reg Import - Rule", "ESCU - Windows Modify Registry Suppress Win Defender Notif - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Windows Powershell Import Applocker Policy - Rule", "ESCU - Windows Remote Access Software RMS Registry - Rule", "ESCU - Windows Remote Service Rdpwinst Tool Execution - Rule", "ESCU - Windows Remote Services Allow Rdp In Firewall - Rule", "ESCU - Windows Remote Services Allow Remote Assistance - Rule", "ESCU - Windows Remote Services Rdp Enable - Rule", "ESCU - Windows Service Stop By Deletion - Rule", "ESCU - Windows Valid Account With Never Expires Password - Rule", "ESCU - Wmic NonInteractive App Uninstallation - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Allow Inbound Traffic By Firewall Rule Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "Allow Operation with Consent Admin", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Attempt To Stop Security Service", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "CHCP Command Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Create local admin accounts using net exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "Detect Use of cmd exe to Launch Script Interpreters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}]}}, {"name": "Disable Defender BlockAtFirstSeen Feature", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender Enhanced Notification", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender Spynet Reporting", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender Submit Samples Consent Feature", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Show Hidden Files", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hidden Files and Directories"}, {"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Hide Artifacts"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disabling Remote User Account Control", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Excessive Attempt To Disable Services", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Excessive Usage Of Cacls App", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Access Removal"}]}}, {"name": "Excessive Usage Of SC Service Utility", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Excessive Usage Of Taskkill", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Firewall Allowed Program Enable", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Hide User Account From Sign-In Screen", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Hiding Files And Directories With Attrib exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "Windows File and Directory Permissions Modification"}]}}, {"name": "Icacls Deny Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}}, {"name": "Network Connection Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning MSHTA", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Processes launching netsh", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Windows Application Layer Protocol RMS Radmin Tool Namedpipe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Application Layer Protocol"}]}}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "System Network Connections Discovery"}, {"mitre_attack_technique": "System Owner/User Discovery"}, {"mitre_attack_technique": "System Shutdown/Reboot"}, {"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows Defender Exclusion Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Gather Victim Network Info Through Ip Check Web Services", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "IP Addresses"}, {"mitre_attack_technique": "Gather Victim Network Information"}]}}, {"name": "Windows Impair Defense Add Xml Applocker Rules", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Impair Defense Deny Security Software With Applocker", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Malicious Link"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "Windows Modify Registry Disable Toast Notifications", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry Disable Win Defender Raw Write Notif", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry Disable Windows Security Center Notif", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry Disabling WER Settings", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry DisAllow Windows App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry Regedit Silent Reg Import", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry Suppress Win Defender Notif", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Windows Powershell Import Applocker Policy", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Remote Access Software RMS Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Access Software"}]}}, {"name": "Windows Remote Service Rdpwinst Tool Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "Windows Remote Services Allow Rdp In Firewall", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "Windows Remote Services Allow Remote Assistance", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "Windows Remote Services Rdp Enable", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "Windows Service Stop By Deletion", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Windows Valid Account With Never Expires Password", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Wmic NonInteractive App Uninstallation", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}]}, {"name": "Azure Active Directory Account Takeover", "author": "Mauricio Velazco, Splunk", "date": "2022-07-14", "version": 2, "id": "41514c46-7118-4eab-a9bb-f3bfa4e3bea9", "description": "Monitor for activities and techniques associated with Account Takover attacks against Azure Active Directory tenants.", "narrative": "Azure Active Directory (Azure AD) is Microsofts enterprise cloud-based identity and access management (IAM) service. Azure AD is the backbone of most of Azure services like Office 365. It can sync with on-premise Active Directory environments and provide authentication to other cloud-based systems via the OAuth protocol. According to Microsoft, Azure AD manages more than 1.2 billion identities and processes over 8 billion authentications per day. Account Takeover (ATO) is an attack whereby cybercriminals gain unauthorized access to online accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. By posing as the real user, cyber-criminals can change account details, send out phishing emails, steal financial information or sensitive data, or use any stolen information to access further accounts within the organization. This analytic storic groups detections that can help security operations teams identify the potential compromise of Azure Active Directory accounts.", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis", "https://azure.microsoft.com/en-us/services/active-directory/#overview", "https://attack.mitre.org/techniques/T1586/", "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-compare-azure-ad-to-ad", "https://www.imperva.com/learn/application-security/account-takeover-ato/", "https://www.varonis.com/blog/azure-active-directory", "https://www.barracuda.com/glossary/account-takeover"], "tags": {"name": "Azure Active Directory Account Takeover", "analytic_story": "Azure Active Directory Account Takeover", "category": ["Adversary Tactics", "Account Compromise", "Cloud Security", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1185", "mitre_attack_technique": "Browser Session Hijacking", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1528", "mitre_attack_technique": "Steal Application Access Token", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.002", "mitre_attack_technique": "Spearphishing Link", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1110.001", "mitre_attack_technique": "Password Guessing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1556.006", "mitre_attack_technique": "Multi-Factor Authentication", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}], "mitre_attack_tactics": ["Collection", "Credential Access", "Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation", "Resource Development"], "datamodels": ["Authentication", "Risk"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"]}, "detection_names": ["ESCU - Azure Active Directory High Risk Sign-in - Rule", "ESCU - Azure AD Authentication Failed During MFA Challenge - Rule", "ESCU - Azure AD Block User Consent For Risky Apps Disabled - Rule", "ESCU - Azure AD Concurrent Sessions From Different Ips - Rule", "ESCU - Azure AD Device Code Authentication - Rule", "ESCU - Azure AD High Number Of Failed Authentications For User - Rule", "ESCU - Azure AD High Number Of Failed Authentications From Ip - Rule", "ESCU - Azure AD Multi-Factor Authentication Disabled - Rule", "ESCU - Azure AD Multi-Source Failed Authentications Spike - Rule", "ESCU - Azure AD Multiple AppIDs and UserAgents Authentication Spike - Rule", "ESCU - Azure AD Multiple Denied MFA Requests For User - Rule", "ESCU - Azure AD Multiple Failed MFA Requests For User - Rule", "ESCU - Azure AD Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - Azure AD New MFA Method Registered For User - Rule", "ESCU - Azure AD OAuth Application Consent Granted By User - Rule", "ESCU - Azure AD Successful Authentication From Different Ips - Rule", "ESCU - Azure AD Successful PowerShell Authentication - Rule", "ESCU - Azure AD Successful Single-Factor Authentication - Rule", "ESCU - Azure AD Unusual Number of Failed Authentications From Ip - Rule", "ESCU - Azure AD User Consent Blocked for Risky Application - Rule", "ESCU - Azure AD User Consent Denied for OAuth Application - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Azure Active Directory High Risk Sign-in", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}]}}, {"name": "Azure AD Authentication Failed During MFA Challenge", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}}, {"name": "Azure AD Block User Consent For Risky Apps Disabled", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Azure AD Concurrent Sessions From Different Ips", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Browser Session Hijacking"}]}}, {"name": "Azure AD Device Code Authentication", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal Application Access Token"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Link"}]}}, {"name": "Azure AD High Number Of Failed Authentications For User", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}]}}, {"name": "Azure AD High Number Of Failed Authentications From Ip", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}, {"mitre_attack_technique": "Password Spraying"}]}}, {"name": "Azure AD Multi-Factor Authentication Disabled", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}}, {"name": "Azure AD Multi-Source Failed Authentications Spike", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}}, {"name": "Azure AD Multiple AppIDs and UserAgents Authentication Spike", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Azure AD Multiple Denied MFA Requests For User", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}}, {"name": "Azure AD Multiple Failed MFA Requests For User", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}]}}, {"name": "Azure AD Multiple Users Failing To Authenticate From Ip", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}}, {"name": "Azure AD New MFA Method Registered For User", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}}, {"name": "Azure AD OAuth Application Consent Granted By User", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal Application Access Token"}]}}, {"name": "Azure AD Successful Authentication From Different Ips", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}, {"mitre_attack_technique": "Password Spraying"}]}}, {"name": "Azure AD Successful PowerShell Authentication", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}]}}, {"name": "Azure AD Successful Single-Factor Authentication", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}]}}, {"name": "Azure AD Unusual Number of Failed Authentications From Ip", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}}, {"name": "Azure AD User Consent Blocked for Risky Application", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal Application Access Token"}]}}, {"name": "Azure AD User Consent Denied for OAuth Application", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal Application Access Token"}]}}]}, {"name": "Azure Active Directory Persistence", "author": "Mauricio Velazco, Splunk", "date": "2022-08-17", "version": 1, "id": "dca983db-6334-4a0d-be32-80611ca1396c", "description": "Monitor for activities and techniques associated with the execution of Persistence techniques against Azure Active Directory tenants.", "narrative": "Azure Active Directory (Azure AD) is Microsofts enterprise cloud-based identity and access management (IAM) service. Azure AD is the backbone of most of Azure services like Office 365. It can sync with on-premise Active Directory environments and provide authentication to other cloud-based systems via the OAuth protocol. According to Microsoft, Azure AD manages more than 1.2 billion identities and processes over 8 billion authentications per day.\\ Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. This analytic storic groups detections that can help security operations teams identify the potential execution of Persistence techniques targeting Azure Active Directory tenants. ", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis", "https://azure.microsoft.com/en-us/services/active-directory/#overview", "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-compare-azure-ad-to-ad", "https://attack.mitre.org/tactics/TA0003/", "https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/Persistence/"], "tags": {"name": "Azure Active Directory Persistence", "analytic_story": "Azure Active Directory Persistence", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1098.003", "mitre_attack_technique": "Additional Cloud Roles", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1484", "mitre_attack_technique": "Domain Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1484.002", "mitre_attack_technique": "Domain Trust Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1098.005", "mitre_attack_technique": "Device Registration", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1098.001", "mitre_attack_technique": "Additional Cloud Credentials", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}], "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Authentication"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Azure AD External Guest User Invited - Rule", "ESCU - Azure AD Global Administrator Role Assigned - Rule", "ESCU - Azure AD New Custom Domain Added - Rule", "ESCU - Azure AD New Federated Domain Added - Rule", "ESCU - Azure AD New MFA Method Registered - Rule", "ESCU - Azure AD PIM Role Assigned - Rule", "ESCU - Azure AD PIM Role Assignment Activated - Rule", "ESCU - Azure AD Privileged Role Assigned - Rule", "ESCU - Azure AD Service Principal Created - Rule", "ESCU - Azure AD Service Principal New Client Credentials - Rule", "ESCU - Azure AD Service Principal Owner Added - Rule", "ESCU - Azure AD Tenant Wide Admin Consent Granted - Rule", "ESCU - Azure AD User Enabled And Password Reset - Rule", "ESCU - Azure AD User ImmutableId Attribute Updated - Rule", "ESCU - Azure Automation Account Created - Rule", "ESCU - Azure Automation Runbook Created - Rule", "ESCU - Azure Runbook Webhook Created - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Azure AD External Guest User Invited", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Account"}]}}, {"name": "Azure AD Global Administrator Role Assigned", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Additional Cloud Roles"}]}}, {"name": "Azure AD New Custom Domain Added", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Policy Modification"}, {"mitre_attack_technique": "Domain Trust Modification"}]}}, {"name": "Azure AD New Federated Domain Added", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Policy Modification"}, {"mitre_attack_technique": "Domain Trust Modification"}]}}, {"name": "Azure AD New MFA Method Registered", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Device Registration"}]}}, {"name": "Azure AD PIM Role Assigned", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}}, {"name": "Azure AD PIM Role Assignment Activated", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}}, {"name": "Azure AD Privileged Role Assigned", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}}, {"name": "Azure AD Service Principal Created", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Account"}]}}, {"name": "Azure AD Service Principal New Client Credentials", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Credentials"}]}}, {"name": "Azure AD Service Principal Owner Added", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Azure AD Tenant Wide Admin Consent Granted", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}}, {"name": "Azure AD User Enabled And Password Reset", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Azure AD User ImmutableId Attribute Updated", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Azure Automation Account Created", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create Account"}, {"mitre_attack_technique": "Cloud Account"}]}}, {"name": "Azure Automation Runbook Created", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create Account"}, {"mitre_attack_technique": "Cloud Account"}]}}, {"name": "Azure Runbook Webhook Created", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}]}}]}, {"name": "Azure Active Directory Privilege Escalation", "author": "Mauricio Velazco, Splunk", "date": "2023-04-24", "version": 1, "id": "ec78e872-b79c-417d-b256-8fde902522fb", "description": "Monitor for activities and techniques associated with Privilege Escalation attacks within Azure Active Directory tenants.", "narrative": "Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations or vulnerabilities.\\\nAzure Active Directory (Azure AD) is Microsofts enterprise cloud-based identity and access management (IAM) service. Azure AD is the backbone of most of Azure services like Office 365 and Microsoft Teams. It can sync with on-premise Active Directory environments and provide authentication to other cloud-based systems via the OAuth protocol. According to Microsoft, Azure AD manages more than 1.2 billion identities and processes over 8 billion authentications per day.\\\nPrivilege escalation attacks in Azure AD typically involve abusing  misconfigurations to gain elevated privileges, such as Global Administrator access. Once an attacker has escalated their privileges and taken full control of a tenant, they may abuse every service that leverages Azure AD including moving laterally to Azure virtual machines to access sensitive data and carry out further attacks. Security teams should monitor for privilege escalation attacks in Azure Active Directory to identify breaches before attackers achieve operational success.\\\nThe following analytic story groups detection opportunities that seek to identify an adversary attempting to escalate privileges in Azure AD tenants.", "references": ["https://attack.mitre.org/tactics/TA0003/", "https://cloudbrothers.info/en/azure-attack-paths/", "https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/PrivEsc/", "https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5"], "tags": {"name": "Azure Active Directory Privilege Escalation", "analytic_story": "Azure Active Directory Privilege Escalation", "category": ["Adversary Tactics", "Account Compromise", "Cloud Security", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1098.003", "mitre_attack_technique": "Additional Cloud Roles", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1098.001", "mitre_attack_technique": "Additional Cloud Credentials", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Credential Access", "Persistence", "Privilege Escalation"], "datamodels": ["Authentication"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Azure AD Application Administrator Role Assigned - Rule", "ESCU - Azure AD Global Administrator Role Assigned - Rule", "ESCU - Azure AD PIM Role Assigned - Rule", "ESCU - Azure AD PIM Role Assignment Activated - Rule", "ESCU - Azure AD Privileged Authentication Administrator Role Assigned - Rule", "ESCU - Azure AD Privileged Role Assigned to Service Principal - Rule", "ESCU - Azure AD Service Principal New Client Credentials - Rule", "ESCU - Azure AD Service Principal Owner Added - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Azure AD Application Administrator Role Assigned", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}}, {"name": "Azure AD Global Administrator Role Assigned", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Additional Cloud Roles"}]}}, {"name": "Azure AD PIM Role Assigned", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}}, {"name": "Azure AD PIM Role Assignment Activated", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}}, {"name": "Azure AD Privileged Authentication Administrator Role Assigned", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}]}}, {"name": "Azure AD Privileged Role Assigned to Service Principal", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}}, {"name": "Azure AD Service Principal New Client Credentials", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Credentials"}]}}, {"name": "Azure AD Service Principal Owner Added", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}]}}]}, {"name": "Baron Samedit CVE-2021-3156", "author": "Shannon Davis, Splunk", "date": "2021-01-27", "version": 1, "id": "817b0dfc-23ba-4bcc-96cc-2cb77e428fbe", "description": "Uncover activity consistent with CVE-2021-3156. Discovered by the Qualys Research Team, this vulnerability has been found to affect sudo across multiple Linux distributions (Ubuntu 20.04 and prior, Debian 10 and prior, Fedora 33 and prior). As this vulnerability was committed to code in July 2011, there will be many distributions affected. Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host.", "narrative": "A non-privledged user is able to execute the sudoedit command to trigger a buffer overflow. After the successful buffer overflow, they are then able to gain root privileges on the affected host. The conditions needed to be run are a trailing \"\\\" along with shell and edit flags. Monitoring the /var/log directory on Linux hosts using the Splunk Universal Forwarder will allow you to pick up this behavior when using the provided detection.", "references": ["https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit"], "tags": {"name": "Baron Samedit CVE-2021-3156", "analytic_story": "Baron Samedit CVE-2021-3156", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Privilege Escalation"], "datamodels": [], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Detect Baron Samedit CVE-2021-3156 - Rule", "ESCU - Detect Baron Samedit CVE-2021-3156 Segfault - Rule", "ESCU - Detect Baron Samedit CVE-2021-3156 via OSQuery - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Shannon Davis", "detections": [{"name": "Detect Baron Samedit CVE-2021-3156", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "Detect Baron Samedit CVE-2021-3156 Segfault", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "Detect Baron Samedit CVE-2021-3156 via OSQuery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}]}, {"name": "BishopFox Sliver Adversary Emulation Framework", "author": "Michael Haag, Splunk", "date": "2023-01-24", "version": 1, "id": "8c2e2cba-3fd8-424f-a890-5080bdaf3f31", "description": "The following analytic story providers visibility into the latest adversary TTPs in regard to the use of Sliver. Sliver has gained more traction with adversaries as it is often seen as an alternative to Cobalt Strike. It is designed to be scalable and can be used by organizations of all sizes to perform security testing. Sliver is highly modular and contains an Extension package manager (armory) allowing easy install (automatic compilation) of various 3rd party tools such as BOFs and .NET tooling like Ghostpack (Rubeus, Seatbelt, SharpUp, Certify, and so forth) (CyberReason,2023).", "narrative": "Sliver is an open source cross-platform adversary emulation/red team framework produced by BishopFox.", "references": ["https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors", "https://www.ncsc.gov.uk/files/Advisory%20Further%20TTPs%20associated%20with%20SVR%20cyber%20actors.pdf", "https://www.proofpoint.com/uk/blog/security-briefs/ta551-uses-sliver-red-team-tool-new-activity", "https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control", "https://github.com/sliverarmory/armory", "https://github.com/BishopFox/sliver"], "tags": {"name": "BishopFox Sliver Adversary Emulation Framework", "analytic_story": "BishopFox Sliver Adversary Emulation Framework", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1055.002", "mitre_attack_technique": "Portable Executable Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Gorgon Group", "Rocke"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Notepad with no Command Line Arguments - Rule", "ESCU - Windows Process Injection into Notepad - Rule", "ESCU - Windows Service Create SliverC2 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Notepad with no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Windows Process Injection into Notepad", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Portable Executable Injection"}]}}, {"name": "Windows Service Create SliverC2", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}]}, {"name": "BITS Jobs", "author": "Michael Haag, Splunk", "date": "2021-03-26", "version": 1, "id": "dbc7edce-8e4c-11eb-9f31-acde48001122", "description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.", "narrative": "Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM). BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations. The interface to create and manage BITS jobs is accessible through PowerShell and the BITSAdmin tool. Adversaries may abuse BITS to download, execute, and even clean up after running malicious code. BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls. BITS enabled execution may also enable persistence by creating long-standing jobs (the default maximum lifetime is 90 days and extendable) or invoking an arbitrary program when a job completes or errors (including after system reboots).", "references": ["https://attack.mitre.org/techniques/T1197/", "https://docs.microsoft.com/en-us/windows/win32/bits/bitsadmin-tool"], "tags": {"name": "BITS Jobs", "analytic_story": "BITS Jobs", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1197", "mitre_attack_technique": "BITS Jobs", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["APT39", "APT41", "Leviathan", "Patchwork", "Wizard Spider"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}], "mitre_attack_tactics": ["Command And Control", "Defense Evasion", "Persistence"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command And Control", "Exploitation", "Installation"]}, "detection_names": ["ESCU - BITS Job Persistence - Rule", "ESCU - BITSAdmin Download File - Rule", "ESCU - PowerShell Start-BitsTransfer - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "BITS Job Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "BITS Jobs"}]}}, {"name": "BITSAdmin Download File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "BITS Jobs"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "PowerShell Start-BitsTransfer", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "BITS Jobs"}]}}]}, {"name": "BlackByte Ransomware", "author": "Teoderick Contreras, Splunk", "date": "2023-07-10", "version": 1, "id": "b18259ac-0746-45d7-bd1f-81d65274a80b", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the BlackByte ransomware, including looking for file writes associated with BlackByte, persistence, initial access, account registry modification and more.", "narrative": "BlackByte ransomware campaigns targeting business operations, involve the use of ransomware payloads, infection chain to collect and exfiltrate data and drop payload on the targeted system. BlackByte Ransomware operates by infiltrating a system through various methods, such as malicious email attachments, exploit kits, or compromised websites. Once inside a system, it begins encrypting files using strong encryption algorithms, rendering them unusable. After completing the encryption process, BlackByte Ransomware typically leaves a ransom note that explains the situation to the victim and provides instructions on how to pay the ransom to obtain the decryption key.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/"], "tags": {"name": "BlackByte Ransomware", "analytic_story": "BlackByte Ransomware", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.007", "mitre_attack_technique": "Disable or Modify Cloud Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN13", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "TA505"]}, {"mitre_attack_id": "T1497", "mitre_attack_technique": "Virtualization/Sandbox Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": ["Darkhotel"]}, {"mitre_attack_id": "T1497.003", "mitre_attack_technique": "Time Based Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1127.001", "mitre_attack_technique": "MSBuild", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1014", "mitre_attack_technique": "Rootkit", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT41", "Rocke", "TeamTNT", "Winnti Group"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1561.002", "mitre_attack_technique": "Disk Structure Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1561", "mitre_attack_technique": "Disk Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1563.002", "mitre_attack_technique": "RDP Hijacking", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Axiom"]}], "mitre_attack_tactics": ["Collection", "Defense Evasion", "Discovery", "Execution", "Impact", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Network_Traffic", "Risk", "Web"], "kill_chain_phases": ["Actions on Objectives", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Allow File And Printing Sharing In Firewall - Rule", "ESCU - Allow Network Discovery In Firewall - Rule", "ESCU - Anomalous usage of 7zip - Rule", "ESCU - CMD Echo Pipe - Escalation - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Detect Exchange Web Shell - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Regsvr32 Application Control Bypass - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Disabling Firewall with Netsh - Rule", "ESCU - DLLHost with no Command Line Arguments with Network - Rule", "ESCU - Excessive File Deletion In WinDefender Folder - Rule", "ESCU - Excessive Service Stop Attempt - Rule", "ESCU - Exchange PowerShell Abuse via SSRF - Rule", "ESCU - Exchange PowerShell Module Usage - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Firewall Allowed Program Enable - Rule", "ESCU - GPUpdate with no Command Line Arguments with Network - Rule", "ESCU - High Process Termination Frequency - Rule", "ESCU - MS Exchange Mailbox Replication service writing Active Server Pages - Rule", "ESCU - Ping Sleep Batch Command - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Resize ShadowStorage volume - Rule", "ESCU - Rundll32 with no Command Line Arguments with Network - Rule", "ESCU - SearchProtocolHost with no Command Line with Network - Rule", "ESCU - Services Escalate Exe - Rule", "ESCU - Suspicious DLLHost no Command Line Arguments - Rule", "ESCU - Suspicious Driver Loaded Path - Rule", "ESCU - Suspicious GPUpdate no Command Line Arguments - Rule", "ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", "ESCU - Suspicious Rundll32 StartW - Rule", "ESCU - Suspicious SearchProtocolHost no Command Line Arguments - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows Driver Load Non-Standard Path - Rule", "ESCU - Windows Drivers Loaded by Signature - Rule", "ESCU - Windows Modify Registry EnableLinkedConnections - Rule", "ESCU - Windows Modify Registry LongPathsEnabled - Rule", "ESCU - Windows MSExchange Management Mailbox Cmdlet Usage - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Windows RDP Connection Successful - Rule", "ESCU - Windows Vulnerable Driver Loaded - Rule", "ESCU - ProxyShell ProxyNotShell Behavior Detected - Rule", "ESCU - Windows Exchange Autodiscover SSRF Abuse - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Allow File And Printing Sharing In Firewall", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Allow Network Discovery In Firewall", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Anomalous usage of 7zip", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}}, {"name": "CMD Echo Pipe - Escalation", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Cobalt Strike Named Pipes", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Detect Exchange Web Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Detect Regsvr32 Application Control Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}, {"name": "Disabling Firewall with Netsh", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "DLLHost with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Excessive File Deletion In WinDefender Folder", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Excessive Service Stop Attempt", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Exchange PowerShell Abuse via SSRF", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Exchange PowerShell Module Usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Firewall Allowed Program Enable", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "GPUpdate with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "High Process Termination Frequency", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}}, {"name": "MS Exchange Mailbox Replication service writing Active Server Pages", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Ping Sleep Batch Command", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Virtualization/Sandbox Evasion"}, {"mitre_attack_technique": "Time Based Evasion"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Resize ShadowStorage volume", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Rundll32 with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "SearchProtocolHost with no Command Line with Network", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Services Escalate Exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Suspicious DLLHost no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Suspicious Driver Loaded Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious GPUpdate no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Suspicious microsoft workflow compiler rename", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Suspicious msbuild path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}}, {"name": "Suspicious MSBuild Rename", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious Rundll32 no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Suspicious Rundll32 StartW", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Suspicious SearchProtocolHost no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}, {"name": "Windows Driver Load Non-Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rootkit"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "Windows Drivers Loaded by Signature", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rootkit"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "Windows Modify Registry EnableLinkedConnections", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry LongPathsEnabled", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows MSExchange Management Mailbox Cmdlet Usage", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}}, {"name": "Windows RDP Connection Successful", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "RDP Hijacking"}]}}, {"name": "Windows Vulnerable Driver Loaded", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}]}}, {"name": "ProxyShell ProxyNotShell Behavior Detected", "source": "web", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Windows Exchange Autodiscover SSRF Abuse", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}]}, {"name": "BlackLotus Campaign", "author": "Michael Haag, Splunk", "date": "2023-04-14", "version": 1, "id": "8eb0e418-a2b6-4327-a387-85c976662c8f", "description": "The first in-the-wild UEFI bootkit bypassing UEFI Secure Boot on fully updated UEFI systems is now a reality", "narrative": "The number of UEFI vulnerabilities discovered in recent years and the failures in patching them or revoking vulnerable binaries within a reasonable time window hasn't gone unnoticed by threat actors. As a result, the first publicly known UEFI bootkit bypassing the essential platform security feature  UEFI Secure Boot  is now a reality. present the first public analysis of this UEFI bootkit, which is capable of running on even fully-up-to-date Windows 11 systems with UEFI Secure Boot enabled. Functionality of the bootkit and its individual features leads us to believe that we are dealing with a bootkit known as BlackLotus, the UEFI bootkit being sold on hacking forums for $5,000 since at least October 2022. (ESET, 2023) The following content aims to aid defenders in detecting suspicious bootloaders and understanding the diverse techniques employed in this campaign.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/", "https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/"], "tags": {"name": "BlackLotus Campaign", "analytic_story": "BlackLotus Campaign", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1542.001", "mitre_attack_technique": "System Firmware", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1542", "mitre_attack_technique": "Pre-OS Boot", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1542.003", "mitre_attack_technique": "Bootkit", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["APT28", "APT41", "Lazarus Group"]}], "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Windows BootLoader Inventory - Rule", "ESCU - Windows Impair Defenses Disable HVCI - Rule", "ESCU - Windows WinLogon with Public Network Connection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows BootLoader Inventory", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Firmware"}, {"mitre_attack_technique": "Pre-OS Boot"}]}}, {"name": "Windows Impair Defenses Disable HVCI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows WinLogon with Public Network Connection", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bootkit"}]}}]}, {"name": "Brand Monitoring", "author": "David Dorsey, Splunk", "date": "2017-12-19", "version": 1, "id": "91c676cf-0b23-438d-abee-f6335e1fce78", "description": "Detect and investigate activity that may indicate that an adversary is using faux domains to mislead users into interacting with malicious infrastructure. Monitor DNS, email, and web traffic for permutations of your brand name.", "narrative": "While you can educate your users and customers about the risks and threats posed by typosquatting, phishing, and corporate espionage, human error is a persistent fact of life. Of course, your adversaries are all too aware of this reality and will happily leverage it for nefarious purposes whenever possible&#51;phishing with lookalike addresses, embedding faux command-and-control domains in malware, and hosting malicious content on domains that closely mimic your corporate servers. This is where brand monitoring comes in.\\\nYou can use our adaptation of `DNSTwist`, together with the support searches in this Analytic Story, to generate permutations of specified brands and external domains. Splunk can monitor email, DNS requests, and web traffic for these permutations and provide you with early warnings and situational awareness--powerful elements of an effective defense.\\\nNotable events will include IP addresses, URLs, and user data. Drilling down can provide you with even more actionable intelligence, including likely geographic information, contextual searches to help you scope the problem, and investigative searches.", "references": ["https://www.zerofox.com/blog/what-is-digital-risk-monitoring/", "https://securingtomorrow.mcafee.com/consumer/family-safety/what-is-typosquatting/", "https://blog.malwarebytes.com/cybercrime/2016/06/explained-typosquatting/"], "tags": {"name": "Brand Monitoring", "analytic_story": "Brand Monitoring", "category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Email", "Network_Resolution", "Web"], "kill_chain_phases": []}, "detection_names": ["ESCU - Monitor Email For Brand Abuse - Rule", "ESCU - Monitor DNS For Brand Abuse - Rule", "ESCU - Monitor Web Traffic For Brand Abuse - Rule"], "investigation_names": ["ESCU - Get Email Info - Response Task", "ESCU - Get Emails From Specific Sender - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Process Responsible For The DNS Traffic - Response Task"], "baseline_names": ["ESCU - DNSTwist Domain Names"], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Monitor Email For Brand Abuse", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "Monitor DNS For Brand Abuse", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "Monitor Web Traffic For Brand Abuse", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "Brute Ratel C4", "author": "Teoderick Contreras, Splunk", "date": "2022-08-23", "version": 1, "id": "0ec9dbfe-f64e-46bb-8eb8-04e92326f513", "description": "Leverage searches that allow you to detect and investigate unusual activities that may be related to Brute Ratel Red Teaming tool. This includes creation, modification and deletion of services, collection or data, ping IP, DNS cache, process injection, debug privileges adjustment, winlogon process duplicate token, lock workstation, get clipboard or screenshot and much more.", "narrative": "Brute RATEL BRC4 is the latest red-teaming tool that simulate several TTP's. It uses several techniques like syscall, patching ETW/AMSI and written in native C to minimize noise in process command-line. This tool was seen in the wild being abused by some ransomware (blackcat) and adversaries in their campaigns to install the BRC4 agent that can serve as remote admin tool to compromise the target host or network.", "references": ["https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/", "https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/"], "tags": {"name": "Brute Ratel C4", "analytic_story": "Brute Ratel C4", "category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1491", "mitre_attack_technique": "Defacement", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1134.002", "mitre_attack_technique": "Create Process with Token", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Lazarus Group", "Turla"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1134.001", "mitre_attack_technique": "Token Impersonation/Theft", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "FIN8"]}, {"mitre_attack_id": "T1589.001", "mitre_attack_technique": "Credentials", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["APT28", "Chimera", "LAPSUS$", "Leviathan", "Magic Hound"]}, {"mitre_attack_id": "T1589", "mitre_attack_technique": "Gather Victim Identity Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["APT32", "FIN13", "HEXANE", "LAPSUS$", "Magic Hound"]}, {"mitre_attack_id": "T1574.001", "mitre_attack_technique": "DLL Search Order Hijacking", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT41", "Aquatic Panda", "BackdoorDiplomacy", "Evilnum", "RTM", "Threat Group-3390", "Tonto Team", "Whitefly", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1056.002", "mitre_attack_technique": "GUI Input Capture", "mitre_attack_tactics": ["Collection", "Credential Access"], "mitre_attack_groups": ["FIN4"]}, {"mitre_attack_id": "T1056", "mitre_attack_technique": "Input Capture", "mitre_attack_tactics": ["Collection", "Credential Access"], "mitre_attack_groups": ["APT39"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1055.002", "mitre_attack_technique": "Portable Executable Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Gorgon Group", "Rocke"]}, {"mitre_attack_id": "T1219", "mitre_attack_technique": "Remote Access Software", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Carbanak", "Cobalt Group", "DarkVishnya", "Evilnum", "FIN7", "GOLD SOUTHFIELD", "Kimsuky", "MuddyWater", "Mustang Panda", "RTM", "Sandworm Team", "TeamTNT", "Thrip"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}], "mitre_attack_tactics": ["Collection", "Command And Control", "Credential Access", "Defense Evasion", "Execution", "Impact", "Initial Access", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Access Token Manipulation SeDebugPrivilege - Rule", "ESCU - Windows Access Token Manipulation Winlogon Duplicate Token Handle - Rule", "ESCU - Windows Access Token Winlogon Duplicate Handle In Uncommon Path - Rule", "ESCU - Windows Defacement Modify Transcodedwallpaper File - Rule", "ESCU - Windows Gather Victim Identity SAM Info - Rule", "ESCU - Windows Hijack Execution Flow Version Dll Side Load - Rule", "ESCU - Windows Input Capture Using Credential UI Dll - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Windows Process Injection With Public Source Path - Rule", "ESCU - Windows Remote Access Software BRC4 Loaded Dll - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - Windows Service Deletion In Registry - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Defacement"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Windows Access Token Manipulation SeDebugPrivilege", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create Process with Token"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}, {"name": "Windows Access Token Manipulation Winlogon Duplicate Token Handle", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Token Impersonation/Theft"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}, {"name": "Windows Access Token Winlogon Duplicate Handle In Uncommon Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Token Impersonation/Theft"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}, {"name": "Windows Defacement Modify Transcodedwallpaper File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Defacement"}]}}, {"name": "Windows Gather Victim Identity SAM Info", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials"}, {"mitre_attack_technique": "Gather Victim Identity Information"}]}}, {"name": "Windows Hijack Execution Flow Version Dll Side Load", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Search Order Hijacking"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Windows Input Capture Using Credential UI Dll", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "GUI Input Capture"}, {"mitre_attack_technique": "Input Capture"}]}}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Malicious Link"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Windows Process Injection With Public Source Path", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Portable Executable Injection"}]}}, {"name": "Windows Remote Access Software BRC4 Loaded Dll", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Access Software"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}]}}, {"name": "Windows Service Deletion In Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}]}, {"name": "Caddy Wiper", "author": "Teoderick Contreras, Rod Soto, Splunk", "date": "2022-03-25", "version": 1, "id": "435a156a-8ef1-4184-bd52-22328fb65d3a", "description": "Caddy Wiper is a destructive payload that detects if its running on a Domain Controller and executes killswitch if detected. If not in a DC it destroys Users and subsequent mapped drives. This wiper also destroys drive partitions inculding boot partitions.", "narrative": "Caddy Wiper is destructive malware operation found by ESET multiple organizations in Ukraine. This malicious payload destroys user files, avoids executing on Dnomain Controllers and destroys boot and drive partitions.", "references": ["https://twitter.com/ESETresearch/status/1503436420886712321", "https://www.welivesecurity.com/2022/03/15/caddywiper-new-wiper-malware-discovered-ukraine/"], "tags": {"name": "Caddy Wiper", "analytic_story": "Caddy Wiper", "category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1561.002", "mitre_attack_technique": "Disk Structure Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1561", "mitre_attack_technique": "Disk Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Impact"], "datamodels": [], "kill_chain_phases": ["Actions on Objectives"]}, "detection_names": ["ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto, Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}}]}, {"name": "CISA AA22-257A", "author": "Michael Haag, Splunk", "date": "2022-09-15", "version": 1, "id": "e1aec96e-bc7d-4edf-8ff7-3da9b7b29147", "description": "The Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian organizations.", "narrative": "This advisory updates joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities, which provides information on these Iranian government-sponsored APT actors exploiting known Fortinet and Microsoft Exchange vulnerabilities to gain initial access to a broad range of targeted entities in furtherance of malicious activities, including ransom operations. The authoring agencies now judge these actors are an APT group affiliated with the IRGC. Since the initial reporting of this activity in the FBI Liaison Alert System (FLASH) report APT Actors Exploiting Fortinet Vulnerabilities to Gain Access for Malicious Activity from May 2021, the authoring agencies have continued to observe these IRGC-affiliated actors exploiting known vulnerabilities for initial access. In addition to exploiting Fortinet and Microsoft Exchange vulnerabilities, the authoring agencies have observed these APT actors exploiting VMware Horizon Log4j vulnerabilities for initial access. The IRGC-affiliated actors have used this access for follow-on activity, including disk encryption and data extortion, to support ransom operations. The IRGC-affiliated actors are actively targeting a broad range of entities, including entities across multiple U.S. critical infrastructure sectors as well as Australian, Canadian, and United Kingdom organizations. These actors often operate under the auspices of Najee Technology Hooshmand Fater LLC, based in Karaj, Iran, and Afkar System Yazd Company, based in Yazd, Iran. The authoring agencies assess the actors are exploiting known vulnerabilities on unprotected networks rather than targeting specific targeted entities or sectors. This advisory provides observed tactics, techniques, and indicators of compromise (IOCs) that the authoring agencies assess are likely associated with this IRGC-affiliated APT. The authoring agencies urge organizations, especially critical infrastructure organizations, to apply the recommendations listed in the Mitigations section of this advisory to mitigate risk of compromise from these IRGC-affiliated cyber actors.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa21-321a", "https://www.cisa.gov/uscert/ncas/alerts/aa22-257a", "https://www.ic3.gov/Media/News/2021/210527.pdf", "https://www.us-cert.gov/sites/default/files/AA22-257A.stix.xml", "https://www.us-cert.cisa.gov/iran"], "tags": {"name": "CISA AA22-257A", "analytic_story": "CISA AA22-257A", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "Dragonfly", "FIN13", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT", "Wizard Spider"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1572", "mitre_attack_technique": "Protocol Tunneling", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Chimera", "Cobalt Group", "FIN13", "FIN6", "Fox Kitten", "Leviathan", "Magic Hound", "OilRig"]}, {"mitre_attack_id": "T1021.004", "mitre_attack_technique": "SSH", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT39", "BlackTech", "FIN13", "FIN7", "Fox Kitten", "GCMAN", "Lazarus Group", "Leviathan", "OilRig", "Rocke", "TEMP.Veles", "TeamTNT", "menuPass"]}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Execution", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Web"], "kill_chain_phases": ["Command And Control", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Dump LSASS via procdump Rename - Rule", "ESCU - Create local admin accounts using net exe - Rule", "ESCU - Creation of lsass Dump with Taskmgr - Rule", "ESCU - Detect Exchange Web Shell - Rule", "ESCU - Detect New Local Admin account - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Dump LSASS via procdump - Rule", "ESCU - Extraction of Registry Hives - Rule", "ESCU - Randomly Generated Scheduled Task Name - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Short Lived Scheduled Task - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows Hidden Schedule Task Settings - Rule", "ESCU - Windows Possible Credential Dumping - Rule", "ESCU - Windows Protocol Tunneling with Plink - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule", "ESCU - Log4Shell JNDI Payload Injection Attempt - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Dump LSASS via procdump Rename", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}]}}, {"name": "Create local admin accounts using net exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "Creation of lsass Dump with Taskmgr", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Detect Exchange Web Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Detect New Local Admin account", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Dump LSASS via procdump", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Extraction of Registry Hives", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Randomly Generated Scheduled Task Name", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Schtasks Run Task On Demand", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Short Lived Scheduled Task", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}, {"name": "Windows Hidden Schedule Task Settings", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Windows Possible Credential Dumping", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows Protocol Tunneling with Plink", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Protocol Tunneling"}, {"mitre_attack_technique": "SSH"}]}}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Log4Shell JNDI Payload Injection Attempt", "source": "web", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}]}, {"name": "CISA AA22-264A", "author": "Michael Haag, Splunk", "date": "2022-09-22", "version": 1, "id": "bc7056a5-c3b0-4b83-93ce-5f31739305c8", "description": "Iranian State Actors Conduct Cyber Operations Against the Government of Albania.", "narrative": "The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory to provide information on recent cyber operations against the Government of Albania in July and September. This advisory provides a timeline of activity observed, from initial access to execution of encryption and wiper attacks. Additional information concerning files used by the actors during their exploitation of and cyber attack against the victim organization is provided in Appendices A and B. In September 2022, Iranian cyber actors launched another wave of cyber attacks against the Government of Albania, using similar TTPs and malware as the cyber attacks in July. These were likely done in retaliation for public attribution of the cyber attacks in July and severed diplomatic ties between Albania and Iran.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa22-264a", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-264a-iranian-cyber-actors-conduct-cyber-operations-against-the-government-of-albania.pdf", "https://www.mandiant.com/resources/blog/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against", "https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/"], "tags": {"name": "CISA AA22-264A", "analytic_story": "CISA AA22-264A", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1036.005", "mitre_attack_technique": "Match Legitimate Name or Location", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT32", "APT39", "APT41", "Aoqin Dragon", "BRONZE BUTLER", "BackdoorDiplomacy", "Blue Mockingbird", "Carbanak", "Chimera", "Darkhotel", "Earth Lusca", "FIN13", "FIN7", "Ferocious Kitten", "Fox Kitten", "Gamaredon Group", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Poseidon Group", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "Sowbug", "TA2541", "TEMP.Veles", "TeamTNT", "Transparent Tribe", "Tropic Trooper", "Volt Typhoon", "WIRTE", "Whitefly", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1595", "mitre_attack_technique": "Active Scanning", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1070.001", "mitre_attack_technique": "Clear Windows Event Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "APT38", "APT41", "Chimera", "Dragonfly", "FIN5", "FIN8", "Indrik Spider"]}, {"mitre_attack_id": "T1561.002", "mitre_attack_technique": "Disk Structure Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1561", "mitre_attack_technique": "Disk Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Execution", "Impact", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Attacker Tools On Endpoint - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Exchange PowerShell Module Usage - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows Event Log Cleared - Rule", "ESCU - Windows Possible Credential Dumping - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Windows System File on Disk - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Attacker Tools On Endpoint", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Match Legitimate Name or Location"}, {"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "Active Scanning"}]}}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Excessive Usage Of Taskkill", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Exchange PowerShell Module Usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Event Log Cleared", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}}, {"name": "Windows Possible Credential Dumping", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}}, {"name": "Windows System File on Disk", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}]}, {"name": "CISA AA22-277A", "author": "Michael Haag, Splunk", "date": "2022-10-05", "version": 1, "id": "db408f93-e915-4215-9962-5fada348bdd7", "description": "From November 2021 through January 2022, the Cybersecurity and Infrastructure Security Agency (CISA) responded to advanced persistent threat (APT) activity on a Defense Industrial Base (DIB) Sector organization's enterprise network. During incident response activities, multiple utilities were utilized.", "narrative": "CISA uncovered that likely multiple APT groups compromised the organization's network, and some APT actors had long-term access to the environment. APT actors used an open-source toolkit called Impacket to gain their foothold within the environment and further compromise the network, and also used a custom data exfiltration tool, CovalentStealer, to steal the victim's sensitive data.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa22-277a", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-277a-impacket-and-exfiltration-tool-used-to-steal-sensitive-information-from-defense-industrial-base-organization.pdf"], "tags": {"name": "CISA AA22-277A", "analytic_story": "CISA AA22-277A", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MoustachedBouncer", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1070.005", "mitre_attack_technique": "Network Share Connection Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Threat Group-3390"]}, {"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN13", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1016.001", "mitre_attack_technique": "Internet Connection Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT29", "FIN13", "FIN8", "Gamaredon Group", "HAFNIUM", "HEXANE", "Magic Hound", "TA2541", "Turla"]}], "mitre_attack_tactics": ["Collection", "Command And Control", "Defense Evasion", "Discovery", "Execution", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command And Control", "Exploitation", "Installation"]}, "detection_names": ["ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Create or delete windows shares using net exe - Rule", "ESCU - Detect Renamed WinRAR - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Exchange PowerShell Module Usage - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Network Discovery Using Route Windows App - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}}, {"name": "Create or delete windows shares using net exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Network Share Connection Removal"}]}}, {"name": "Detect Renamed WinRAR", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}}, {"name": "Excessive Usage Of Taskkill", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Exchange PowerShell Module Usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Network Discovery Using Route Windows App", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Internet Connection Discovery"}]}}]}, {"name": "CISA AA22-320A", "author": "Michael Haag, Splunk", "date": "2022-11-16", "version": 1, "id": "c1fca73d-3a8d-49a6-b9c0-1d5d155f7dd4", "description": "CISA and the FBI have identified an APT activity where the adversary gained initial access via Log4Shell via a unpatched VMware Horizon server. From there the adversary moved laterally and continued to its objective.", "narrative": "From mid-June through mid-July 2022, CISA conducted an incident response engagement at a Federal Civilian Executive Branch (FCEB) organization where CISA observed suspected advanced persistent threat (APT) activity. In the course of incident response activities, CISA determined that cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence. CISA and the Federal Bureau of Investigation (FBI) assess that the FCEB network was compromised by Iranian government-sponsored APT actors.", "references": ["https://www.cisa.gov/uscert/ncas/alerts/aa22-320a", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf"], "tags": {"name": "CISA AA22-320A", "analytic_story": "CISA AA22-320A", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1550.003", "mitre_attack_technique": "Pass the Ticket", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["APT29", "APT32", "BRONZE BUTLER"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1014", "mitre_attack_technique": "Rootkit", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT41", "Rocke", "TeamTNT", "Winnti Group"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1572", "mitre_attack_technique": "Protocol Tunneling", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Chimera", "Cobalt Group", "FIN13", "FIN6", "Fox Kitten", "Leviathan", "Magic Hound", "OilRig"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "MoustachedBouncer", "POLONIUM", "Sandworm Team", "Turla", "Volt Typhoon", "Windigo"]}, {"mitre_attack_id": "T1102", "mitre_attack_technique": "Web Service", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT32", "EXOTIC LILY", "Ember Bear", "FIN6", "FIN8", "Fox Kitten", "Gamaredon Group", "Inception", "LazyScripter", "Mustang Panda", "Rocke", "TeamTNT", "Turla"]}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Defense Evasion", "Discovery", "Execution", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Network_Resolution", "Network_Traffic", "Risk", "Web"], "kill_chain_phases": ["Command And Control", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Suspicious Powershell Command-Line Arguments - Rule", "ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Enable WDigest UseLogonCredential Registry - Rule", "ESCU - GetAdComputer with PowerShell Script Block - Rule", "ESCU - Log4Shell CVE-2021-44228 Exploitation - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Mimikatz PassTheTicket CommandLine Parameters - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Suspicious Driver Loaded Path - Rule", "ESCU - Windows Driver Load Non-Standard Path - Rule", "ESCU - Windows Drivers Loaded by Signature - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Ngrok Reverse Proxy Usage - Rule", "ESCU - Windows Service Create Kernel Mode Driver - Rule", "ESCU - XMRIG Driver Loaded - Rule", "ESCU - Ngrok Reverse Proxy on Network - Rule", "ESCU - Hunting for Log4Shell - Rule", "ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", "ESCU - Log4Shell JNDI Payload Injection with Outbound Connection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Suspicious Powershell Command-Line Arguments", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}]}}, {"name": "Add or Set Windows Defender Exclusion", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Enable WDigest UseLogonCredential Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "GetAdComputer with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Log4Shell CVE-2021-44228 Exploitation", "source": "endpoint", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}}, {"name": "Mimikatz PassTheTicket CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Ticket"}]}}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Suspicious Driver Loaded Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Windows Driver Load Non-Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rootkit"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "Windows Drivers Loaded by Signature", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rootkit"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "Windows Mimikatz Binary Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows Ngrok Reverse Proxy Usage", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Protocol Tunneling"}, {"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Web Service"}]}}, {"name": "Windows Service Create Kernel Mode Driver", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "XMRIG Driver Loaded", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Ngrok Reverse Proxy on Network", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Protocol Tunneling"}, {"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Web Service"}]}}, {"name": "Hunting for Log4Shell", "source": "web", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Log4Shell JNDI Payload Injection Attempt", "source": "web", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Log4Shell JNDI Payload Injection with Outbound Connection", "source": "web", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}]}, {"name": "CISA AA23-347A", "author": "Teoderick Contreras, Rod Soto, Splunk", "date": "2023-12-14", "version": 1, "id": "438d5423-2aa2-4bff-9606-3e3e6c583ea6", "description": "Leverage searches that allow you to detect and investigate unusual activities that might be related to the  SVR cyber activity tactics and techniques. While SVR followed a similar playbook in each compromise, they also adjusted to each operating environment and not all presented steps or actions below were executed on every host.", "narrative": "SVR cyber operations pose a persistent threat to public and private organizations' networks globally. Since 2013, cybersecurity companies and governments have reported on SVR operations targeting victim networks to steal confidential and proprietary information. A decade later, the authoring agencies can infer a long-term targeting pattern aimed at collecting, and enabling the collection of, foreign intelligence, a broad concept that for Russia encompasses information on the politics, economics, and military of foreign states; science and technology; and foreign counterintelligence. The SVR also conducts cyber operations targeting technology companies that enable future cyber operations. The SVR's recent operation has targeted networks hosting TeamCity servers, further underscoring its persistent focus on technology companies. By leveraging CVE-2023-42793, a vulnerability within a software development program, the SVR seeks to gain access to victims, potentially compromising numerous software developers' networks. JetBrains responded to this threat by issuing a patch in mid-September 2023, limting the SVR's ability to exploit Internet-accessible TeamCity servers lacking the necessary updates. Despite this mitigation, the SVR has yet to utilize its acquired access to software developers' networks for breaching customer systems. It appears that the SVR is still in the preparatory stages of its operation.", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a"], "tags": {"name": "CISA AA23-347A", "analytic_story": "CISA AA23-347A", "category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MoustachedBouncer", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1070.001", "mitre_attack_technique": "Clear Windows Event Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "APT38", "APT41", "Chimera", "Dragonfly", "FIN5", "FIN8", "Indrik Spider"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1558.004", "mitre_attack_technique": "AS-REP Roasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1562.006", "mitre_attack_technique": "Indicator Blocking", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}, {"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1550.003", "mitre_attack_technique": "Pass the Ticket", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["APT29", "APT32", "BRONZE BUTLER"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1134.002", "mitre_attack_technique": "Create Process with Token", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Lazarus Group", "Turla"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "Volt Typhoon", "ZIRCONIUM"]}, {"mitre_attack_id": "T1562.002", "mitre_attack_technique": "Disable Windows Event Logging", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound", "Threat Group-3390"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1505.004", "mitre_attack_technique": "IIS Components", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1003.004", "mitre_attack_technique": "LSA Secrets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "APT33", "Dragonfly", "Ke3chang", "Leafminer", "MuddyWater", "OilRig", "Threat Group-3390", "menuPass"]}, {"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1057", "mitre_attack_technique": "Process Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT37", "APT38", "Andariel", "Chimera", "Darkhotel", "Deep Panda", "Earth Lusca", "Gamaredon Group", "HAFNIUM", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Rocke", "Sidewinder", "Stealth Falcon", "TeamTNT", "Tropic Trooper", "Turla", "Volt Typhoon", "Windshift", "Winnti Group"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}], "mitre_attack_tactics": ["Collection", "Credential Access", "Defense Evasion", "Discovery", "Execution", "Impact", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Risk", "Web"], "kill_chain_phases": ["Actions on Objectives", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Access LSASS Memory for Dump Creation - Rule", "ESCU - AdsiSearcher Account Discovery - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Detect Credential Dumping through LSASS access - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - Disable AMSI Through Registry - Rule", "ESCU - Disable Defender BlockAtFirstSeen Feature - Rule", "ESCU - Disable Defender Enhanced Notification - Rule", "ESCU - Disable Defender Spynet Reporting - Rule", "ESCU - Disable Defender Submit Samples Consent Feature - Rule", "ESCU - Disable ETW Through Registry - Rule", "ESCU - Disable Logs Using WevtUtil - Rule", "ESCU - Disable Security Logs Using MiniNt Registry - Rule", "ESCU - Disable UAC Remote Restriction - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Disable Windows SmartScreen Protection - Rule", "ESCU - Disabled Kerberos Pre-Authentication Discovery With Get-ADUser - Rule", "ESCU - Disabling FolderOptions Windows Feature - Rule", "ESCU - Domain Controller Discovery with Nltest - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Extraction of Registry Hives - Rule", "ESCU - Get ADUser with PowerShell - Rule", "ESCU - Get ADUser with PowerShell Script Block - Rule", "ESCU - Get ADUserResultantPasswordPolicy with Powershell - Rule", "ESCU - Get ADUserResultantPasswordPolicy with Powershell Script Block - Rule", "ESCU - Get DomainUser with PowerShell - Rule", "ESCU - Get DomainUser with PowerShell Script Block - Rule", "ESCU - Mimikatz PassTheTicket CommandLine Parameters - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - PowerShell Domain Enumeration - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Remote Process Instantiation via WMI - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Rubeus Command Line Parameters - Rule", "ESCU - Rubeus Kerberos Ticket Exports Through Winlogon Access - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Services Escalate Exe - Rule", "ESCU - Services LOLBAS Execution Process Spawn - Rule", "ESCU - Short Lived Scheduled Task - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Suspicious wevtutil Usage - Rule", "ESCU - System User Discovery With Whoami - Rule", "ESCU - Unload Sysmon Filter Driver - Rule", "ESCU - Windows Access Token Manipulation SeDebugPrivilege - Rule", "ESCU - Windows Account Discovery for None Disable User Account - Rule", "ESCU - Windows Account Discovery for Sam Account Name - Rule", "ESCU - Windows Account Discovery With NetUser PreauthNotRequire - Rule", "ESCU - Windows Archive Collected Data via Powershell - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows Credentials from Password Stores Chrome Extension Access - Rule", "ESCU - Windows Disable Notification Center - Rule", "ESCU - Windows Disable Windows Event Logging Disable HTTP Logging - Rule", "ESCU - Windows Disable Windows Group Policy Features Through Registry - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows DISM Remove Defender - Rule", "ESCU - Windows Domain Account Discovery Via Get-NetComputer - Rule", "ESCU - Windows Excessive Disabled Services Event - Rule", "ESCU - Windows Hunting System Account Targeting Lsass - Rule", "ESCU - Windows Impair Defenses Disable Win Defender Auto Logging - Rule", "ESCU - Windows Known GraphicalProton Loaded Modules - Rule", "ESCU - Windows LSA Secrets NoLMhash Registry - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Mimikatz Crypto Export File Extensions - Rule", "ESCU - Windows Modify Registry Disable Restricted Admin - Rule", "ESCU - Windows Modify Registry Disable Win Defender Raw Write Notif - Rule", "ESCU - Windows Modify Registry Disable WinDefender Notifications - Rule", "ESCU - Windows Modify Registry Disable Windows Security Center Notif - Rule", "ESCU - Windows Modify Registry DisableSecuritySettings - Rule", "ESCU - Windows Modify Registry Disabling WER Settings - Rule", "ESCU - Windows Modify Registry No Auto Update - Rule", "ESCU - Windows Modify Registry Suppress Win Defender Notif - Rule", "ESCU - Windows Non-System Account Targeting Lsass - Rule", "ESCU - Windows Possible Credential Dumping - Rule", "ESCU - Windows PowerView Constrained Delegation Discovery - Rule", "ESCU - Windows PowerView SPN Discovery - Rule", "ESCU - Windows PowerView Unconstrained Delegation Discovery - Rule", "ESCU - Windows Process Commandline Discovery - Rule", "ESCU - Windows Query Registry Reg Save - Rule", "ESCU - Windows Remote Create Service - Rule", "ESCU - Windows Scheduled Task Created Via XML - Rule", "ESCU - Windows Scheduled Task with Highest Privileges - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows Service Creation on Remote Endpoint - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - Windows Service Initiation on Remote Endpoint - Rule", "ESCU - Windows Service Stop Win Updates - Rule", "ESCU - Windows System User Privilege Discovery - Rule", "ESCU - Windows WMI Process Call Create - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinRM Spawning a Process - Rule", "ESCU - JetBrains TeamCity RCE Attempt - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto, Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Access LSASS Memory for Dump Creation", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "AdsiSearcher Account Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Attempted Credential Dump From Registry via Reg exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}}, {"name": "Detect Credential Dumping through LSASS access", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Disable AMSI Through Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender BlockAtFirstSeen Feature", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender Enhanced Notification", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender Spynet Reporting", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender Submit Samples Consent Feature", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable ETW Through Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Logs Using WevtUtil", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}}, {"name": "Disable Security Logs Using MiniNt Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Disable UAC Remote Restriction", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Windows SmartScreen Protection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disabled Kerberos Pre-Authentication Discovery With Get-ADUser", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "AS-REP Roasting"}]}}, {"name": "Disabling FolderOptions Windows Feature", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Domain Controller Discovery with Nltest", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "ETW Registry Disabled", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Blocking"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Extraction of Registry Hives", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Get ADUser with PowerShell", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Get ADUser with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Get ADUserResultantPasswordPolicy with Powershell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Policy Discovery"}]}}, {"name": "Get ADUserResultantPasswordPolicy with Powershell Script Block", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Policy Discovery"}]}}, {"name": "Get DomainUser with PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Get DomainUser with PowerShell Script Block", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Mimikatz PassTheTicket CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Ticket"}]}}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "PowerShell Domain Enumeration", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Remote Process Instantiation via WMI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Remote WMI Command Attempt", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Rubeus Command Line Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Ticket"}, {"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}, {"mitre_attack_technique": "AS-REP Roasting"}]}}, {"name": "Rubeus Kerberos Ticket Exports Through Winlogon Access", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Ticket"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Services Escalate Exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Services LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Short Lived Scheduled Task", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Suspicious wevtutil Usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Clear Windows Event Logs"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "System User Discovery With Whoami", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Owner/User Discovery"}]}}, {"name": "Unload Sysmon Filter Driver", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Access Token Manipulation SeDebugPrivilege", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create Process with Token"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}, {"name": "Windows Account Discovery for None Disable User Account", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Windows Account Discovery for Sam Account Name", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Windows Account Discovery With NetUser PreauthNotRequire", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Windows Archive Collected Data via Powershell", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Archive Collected Data"}]}}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "System Network Connections Discovery"}, {"mitre_attack_technique": "System Owner/User Discovery"}, {"mitre_attack_technique": "System Shutdown/Reboot"}, {"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows Credentials from Password Stores Chrome Extension Access", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows Disable Notification Center", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Disable Windows Event Logging Disable HTTP Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable Windows Event Logging"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}}, {"name": "Windows Disable Windows Group Policy Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows DISM Remove Defender", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Domain Account Discovery Via Get-NetComputer", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Account"}]}}, {"name": "Windows Excessive Disabled Services Event", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Hunting System Account Targeting Lsass", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows Impair Defenses Disable Win Defender Auto Logging", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Known GraphicalProton Loaded Modules", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Windows LSA Secrets NoLMhash Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSA Secrets"}]}}, {"name": "Windows Mimikatz Binary Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows Mimikatz Crypto Export File Extensions", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}}, {"name": "Windows Modify Registry Disable Restricted Admin", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry Disable Win Defender Raw Write Notif", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry Disable WinDefender Notifications", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry Disable Windows Security Center Notif", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry DisableSecuritySettings", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry Disabling WER Settings", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry No Auto Update", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry Suppress Win Defender Notif", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Non-System Account Targeting Lsass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows Possible Credential Dumping", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows PowerView Constrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Windows PowerView SPN Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "Windows PowerView Unconstrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Windows Process Commandline Discovery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Discovery"}]}}, {"name": "Windows Query Registry Reg Save", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows Remote Create Service", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Windows Scheduled Task Created Via XML", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Windows Scheduled Task with Highest Privileges", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Windows Service Creation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}]}}, {"name": "Windows Service Initiation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Windows Service Stop Win Updates", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Windows System User Privilege Discovery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Owner/User Discovery"}]}}, {"name": "Windows WMI Process Call Create", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinRM Spawning a Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}, {"name": "JetBrains TeamCity RCE Attempt", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}]}, {"name": "Cisco IOS XE Software Web Management User Interface vulnerability", "author": "Michael Haag, Splunk", "date": "2023-10-17", "version": 1, "id": "b5394b6a-b774-4bb6-a2bc-98f98cf7be88", "description": "Cisco has identified active exploitation of a previously unknown vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software (CVE-2023-20198) when exposed to the internet or untrusted networks. Successful exploitation of this vulnerability allows an attacker to create an account on the affected device with privilege level 15 access, effectively granting them full control of the compromised device and allowing possible subsequent unauthorized activity.", "narrative": "Cisco discovered early evidence of potentially malicious activity on September 28, 2023, when a case was opened with Cisco's Technical Assistance Center (TAC) that identified unusual behavior on a customer device. Upon further investigation, they observed what they have determined to be related activity as early as September 18. The activity included an authorized user creating a local user account under the username cisco_tac_admin from a suspicious IP address. On October 12, Cisco Talos Incident Response (Talos IR) and TAC detected what they later determined to be an additional cluster of related activity that began on that same day. In this cluster, an unauthorized user was observed creating a local user account under the name cisco_support from a second suspicious IP address. Unlike the September case, this October activity included several subsequent actions, including the deployment of an implant consisting of a configuration file (cisco_service.conf). The configuration file defines the new web server endpoint (URI path) used to interact with the implant. That endpoint receives certain parameters, described in more detail below, that allows the actor to execute arbitrary commands at the system level or IOS level. For the implant to become active, the web server must be restarted; in at least one observed case the server was not restarted so the implant never became active despite being installed.", "references": ["https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/"], "tags": {"name": "Cisco IOS XE Software Web Management User Interface vulnerability", "analytic_story": "Cisco IOS XE Software Web Management User Interface vulnerability", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - Cisco IOS XE Implant Access - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Cisco IOS XE Implant Access", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}]}, {"name": "Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966", "author": "Michael Haag, Splunk", "date": "2023-10-24", "version": 1, "id": "b194d644-4095-431a-bee0-a8e6ec067414", "description": "A critical security update, CVE-2023-4966, has been released for NetScaler ADC and NetScaler Gateway. This vulnerability, discovered by our internal team, can result in unauthorized data disclosure if exploited. Reports of incidents consistent with session hijacking have been received. The Cybersecurity and Infrastructure Security Agency (CISA) has added an entry for CVE-2023-4966 to its Known Exploited and Vulnerabilities Catalog. No workarounds are available for this vulnerability, and immediate installation of the recommended builds is strongly advised.", "narrative": "On October 10, 2023, Cloud Software Group released builds to fix CVE-2023-4966, a vulnerability affecting NetScaler ADC and NetScaler Gateway. This vulnerability, if exploited, can lead to unauthorized data disclosure and possibly session hijacking. Although there were no known exploits at the time of disclosure, we have since received credible reports of targeted attacks exploiting this vulnerability. The Cybersecurity and Infrastructure Security Agency (CISA) has added an entry for CVE-2023-4966 to its Known Exploited and Vulnerabilities Catalog, which contains detection and mitigation guidance for observed exploitations of CVE-2023-4966 by threat actors against NetScaler ADC and NetScaler Gateway. We strongly recommend that users of affected builds immediately install the recommended builds, as this vulnerability has been identified as critical. No workarounds are available for this vulnerability.", "references": ["https://www.netscaler.com/blog/news/cve-2023-4966-critical-security-update-now-available-for-netscaler-adc-and-netscaler-gateway/", "https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967", "https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966", "https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966", "https://github.com/projectdiscovery/nuclei-templates/blob/b815d23b908de52996060163091395d1c89fbeea/http/cves/2023/CVE-2023-4966.yaml"], "tags": {"name": "Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966", "analytic_story": "Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - Citrix ADC and Gateway Unauthorized Data Disclosure - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Citrix ADC and Gateway Unauthorized Data Disclosure", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}]}, {"name": "Citrix Netscaler ADC CVE-2023-3519", "author": "Michael Haag, Splunk", "date": "2023-07-20", "version": 1, "id": "094df1fe-4345-4c01-8a0f-c65cf7b758bd", "description": "The CVE-2023-3519 vulnerability in NetScaler (formerly Citrix) Application Delivery Controller (ADC) and NetScaler Gateway has been exploited by threat actors, as detailed in a recent advisory. The unauthenticated remote code execution vulnerability was utilized as a zero-day to establish a webshell on a non-production environment NetScaler ADC appliance within a critical infrastructure organization. This facilitated the execution of discovery on the victim's active directory and the collection and exfiltration of data. The advisory offers a comprehensive examination of the threat actors' tactics, techniques, and procedures (TTPs), alongside recommended detection methods and incident response guidelines. Immediate patch application from Citrix and the use of the detection guidance in the advisory is strongly recommended for critical infrastructure organizations to mitigate system compromises.", "narrative": "Recent advisories have highlighted the exploitation of CVE-2023-3519, a critical vulnerability in Citrix's NetScaler Application Delivery Controller (ADC) and NetScaler Gateway. In June 2023, threat actors utilized this vulnerability to implant a webshell on a NetScaler ADC appliance within a critical infrastructure organization's non-production environment. This action granted them the ability to perform active directory discovery, data collection, and exfiltration. Notably, attempts for lateral movement to a domain controller were obstructed by network-segmentation controls. \\\nThe compromised organization reported the breach, leading Citrix to issue a patch on July 18, 2023. Multiple advisories have since outlined the threat actors' tactics, techniques, and procedures (TTPs), including their initial access, persistence, privilege escalation, defense evasion, credential access, discovery, collection, command and control, and impact. These advisories also provide detection methods and recommend incident response measures. \\\nThe threat actors executed several activities during their attack, such as uploading a TGZ file with a generic webshell, discovery script, and setuid binary on the ADC appliance; conducting SMB scanning on the subnet; using the webshell for active directory enumeration and data exfiltration; and accessing NetScaler configuration files and decryption keys. They also decrypted an active directory credential, queried the active directory for various information, encrypted collected data, exfiltrated it as an image file, and attempted to erase their artifacts. Despite these actions, further discovery and lateral movement were impeded due to the organization's network-segmentation controls. \\\nAdvisories suggest conducting specific checks on the ADC shell interface to detect signs of compromise. If a compromise is detected, organizations should isolate potentially affected hosts, reimage compromised hosts, provide new account credentials, collect and review artifacts, and report the compromise. To mitigate the threat, organizations are advised to promptly install the relevant updates for NetScaler ADC and NetScaler Gateway, adhere to cybersecurity best practices, and apply robust network-segmentation controls on NetScaler appliances and other internet-facing devices. \\", "references": ["https://attackerkb.com/topics/si09VNJhHh/cve-2023-3519", "https://www.cisa.gov/sites/default/files/2023-07/aa23-201a_csa_threat_actors_exploiting_citrix-cve-2023-3519_to_implant_webshells.pdf", "https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467"], "tags": {"name": "Citrix Netscaler ADC CVE-2023-3519", "analytic_story": "Citrix Netscaler ADC CVE-2023-3519", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - Citrix ADC Exploitation CVE-2023-3519 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Citrix ADC Exploitation CVE-2023-3519", "source": "web", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}]}, {"name": "Citrix ShareFile RCE CVE-2023-24489", "author": "Michael Haag, Splunk", "date": "2023-07-26", "version": 1, "id": "10c7e01a-5743-4995-99df-a66f6b5db653", "description": "A critical vulnerability has been discovered in ShareFile's Storage Zones Controller software (CVE-2023-24489), used by numerous organizations for file sharing and storage. The vulnerability allows unauthenticated arbitrary file upload and remote code execution due to a cryptographic bug in the software's encryption but lack of authentication system. The risk comes from a failing encryption check, allowing potential cybercriminals to upload malicious files to the server. The bug was found in the Documentum Connector's .aspx files. The security risk has a potentially large impact due to the software's wide use and the sensitivity of the stored data. Citrix has released a security update to address this issue.", "narrative": "The ShareFile Storage Zones Controller is a .NET web application running under IIS, which manages the storage of files in ShareFile's system. It was discovered that this software has a critical vulnerability (CVE-2023-24489) in the file upload functionality provided by the Documentum Connector's .aspx files. Specifically, the security flaw lies in the encryption check in the file upload process which could be bypassed, allowing for unauthenticated arbitrary file uploads and remote code execution. \\\nThe application sets the current principal from a session cookie, but if this is missing, the application continues without authentication. The application uses AES encryption, with CBC mode and PKCS#7 padding. A decryption check is in place which returns an error if the decryption fails, but this can be bypassed by supplying a ciphertext that results in valid padding after decryption, thereby not causing an exception. \\\nThe Documentum Connector's upload.aspx file, when uploading a file, calls the ProcessRawPostedFile function, which allows a path traversal due to improper sanitization of the 'uploadId' parameter. It allows the 'filename' and 'uploadId' parameters to be concatenated, and while the 'filename' parameter is sanitized, the 'uploadId' is not. The 'parentid' parameter is passed in but is also not used. \\\nThe vulnerability enables an attacker to upload a webshell or any other malicious file, by providing a properly padded encrypted string for the 'parentid' parameter, and specifying the path for the 'uploadId' and the name for the 'filename'. An attacker can achieve remote code execution by requesting the uploaded file. The issue was addressed by Citrix in a recent security update.", "references": ["https://www.greynoise.io/blog/introducing-cve-2023-24489-a-critical-citrix-sharefile-rce-vulnerability", "https://blog.assetnote.io/2023/07/04/citrix-sharefile-rce/"], "tags": {"name": "Citrix ShareFile RCE CVE-2023-24489", "analytic_story": "Citrix ShareFile RCE CVE-2023-24489", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}], "mitre_attack_tactics": ["Initial Access", "Persistence"], "datamodels": ["Endpoint", "Web"], "kill_chain_phases": ["Delivery", "Installation"]}, "detection_names": ["ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Citrix ShareFile Exploitation CVE-2023-24489 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}, {"name": "Citrix ShareFile Exploitation CVE-2023-24489", "source": "web", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}]}, {"name": "Cloud Cryptomining", "author": "David Dorsey, Splunk", "date": "2019-10-02", "version": 1, "id": "3b96d13c-fdc7-45dd-b3ad-c132b31cdd2a", "description": "Monitor your cloud compute instances for activities related to cryptojacking/cryptomining. New instances that originate from previously unseen regions, users who launch abnormally high numbers of instances, or compute instances started by previously unseen users are just a few examples of potentially malicious behavior.", "narrative": "Cryptomining is an intentionally difficult, resource-intensive business. Its complexity was designed into the process to ensure that the number of blocks mined each day would remain steady. So, it's par for the course that ambitious, but unscrupulous, miners make amassing the computing power of large enterprises--a practice known as cryptojacking--a top priority. \\\nCryptojacking has attracted an increasing amount of media attention since its explosion in popularity in the fall of 2017. The attacks have moved from in-browser exploits and mobile phones to enterprise cloud services, such as Amazon Web Services (AWS), Google Cloud Platform (GCP), and Azure. It's difficult to determine exactly how widespread the practice has become, since bad actors continually evolve their ability to escape detection, including employing unlisted endpoints, moderating their CPU usage, and hiding the mining pool's IP address behind a free CDN. \\\nWhen malicious miners appropriate a cloud instance, often spinning up hundreds of new instances, the costs can become astronomical for the account holder. So it is critically important to monitor your systems for suspicious activities that could indicate that your network has been infiltrated. \\\nThis Analytic Story is focused on detecting suspicious new instances in your cloud environment to help prevent cryptominers from gaining a foothold. It contains detection searches that will detect when a previously unused instance type or AMI is used. It also contains support searches to build lookup files to ensure proper execution of the detection searches.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "tags": {"name": "Cloud Cryptomining", "analytic_story": "Cloud Cryptomining", "category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Change"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Abnormally High Number Of Cloud Instances Launched - Rule", "ESCU - Cloud Compute Instance Created By Previously Unseen User - Rule", "ESCU - Cloud Compute Instance Created In Previously Unused Region - Rule", "ESCU - Cloud Compute Instance Created With Previously Unseen Image - Rule", "ESCU - Cloud Compute Instance Created With Previously Unseen Instance Type - Rule"], "investigation_names": ["ESCU - AWS Investigate Security Hub alerts by dest - Response Task", "ESCU - AWS Investigate User Activities By ARN - Response Task", "ESCU - Get EC2 Instance Details by instanceId - Response Task", "ESCU - Get EC2 Launch Details - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Investigate AWS activities via region name - Response Task"], "baseline_names": ["ESCU - Baseline Of Cloud Instances Destroyed", "ESCU - Baseline Of Cloud Instances Launched", "ESCU - Previously Seen Cloud Compute Creations By User - Initial", "ESCU - Previously Seen Cloud Compute Creations By User - Update", "ESCU - Previously Seen Cloud Compute Images - Initial", "ESCU - Previously Seen Cloud Compute Images - Update", "ESCU - Previously Seen Cloud Compute Instance Types - Initial", "ESCU - Previously Seen Cloud Compute Instance Types - Update", "ESCU - Previously Seen Cloud Regions - Initial", "ESCU - Previously Seen Cloud Regions - Update"], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Abnormally High Number Of Cloud Instances Launched", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Cloud Compute Instance Created By Previously Unseen User", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Cloud Compute Instance Created In Previously Unused Region", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "Cloud Compute Instance Created With Previously Unseen Image", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Cloud Compute Instance Created With Previously Unseen Instance Type", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "Cloud Federated Credential Abuse", "author": "Rod Soto, Splunk", "date": "2021-01-26", "version": 1, "id": "cecdc1e7-0af2-4a55-8967-b9ea62c0317d", "description": "This analytical story addresses events that indicate abuse of cloud federated credentials. These credentials are usually extracted from endpoint desktop or servers specially those servers that provide federation services such as Windows Active Directory Federation Services. Identity Federation relies on objects such as Oauth2 tokens, cookies or SAML assertions in order to provide seamless access between cloud and perimeter environments. If these objects are either hijacked or forged then attackers will be able to pivot into victim's cloud environements.", "narrative": "This story is composed of detection searches based on endpoint that addresses the use of Mimikatz, Escalation of Privileges and Abnormal processes that may indicate the extraction of Federated directory objects such as passwords, Oauth2 tokens, certificates and keys. Cloud environment (AWS, Azure) related events are also addressed in specific cloud environment detection searches.", "references": ["https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://us-cert.cisa.gov/ncas/alerts/aa21-008a"], "tags": {"name": "Cloud Federated Credential Abuse", "analytic_story": "Cloud Federated Credential Abuse", "category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1546.012", "mitre_attack_technique": "Image File Execution Options Injection", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["TEMP.Veles"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - AWS SAML Access by Provider User and Principal - Rule", "ESCU - AWS SAML Update identity provider - Rule", "ESCU - O365 Add App Role Assignment Grant User - Rule", "ESCU - O365 Added Service Principal - Rule", "ESCU - O365 Excessive SSO logon errors - Rule", "ESCU - O365 New Federated Domain Added - Rule", "ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Detect Mimikatz Via PowerShell And EventCode 4703 - Rule", "ESCU - Certutil exe certificate extraction - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Rod Soto", "detections": [{"name": "AWS SAML Access by Provider User and Principal", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "AWS SAML Update identity provider", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "O365 Add App Role Assignment Grant User", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "O365 Added Service Principal", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "O365 Excessive SSO logon errors", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Authentication Process"}]}}, {"name": "O365 New Federated Domain Added", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Detect Mimikatz Via PowerShell And EventCode 4703", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}]}}, {"name": "Certutil exe certificate extraction", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "Registry Keys Used For Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Image File Execution Options Injection"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}]}, {"name": "Cobalt Strike", "author": "Michael Haag, Splunk", "date": "2021-02-16", "version": 1, "id": "bcfd17e8-5461-400a-80a2-3b7d1459220c", "description": "Cobalt Strike is threat emulation software. Red teams and penetration testers use Cobalt Strike to demonstrate the risk of a breach and evaluate mature security programs. Most recently, Cobalt Strike has become the choice tool by threat groups due to its ease of use and extensibility.", "narrative": "This Analytic Story supports you to detect Tactics, Techniques and Procedures (TTPs) from Cobalt Strike. Cobalt Strike has many ways to be enhanced by using aggressor scripts, malleable C2 profiles, default attack packages, and much more. For endpoint behavior, Cobalt Strike is most commonly identified via named pipes, spawn to processes, and DLL function names. Many additional variables are provided for in memory operation of the beacon implant. On the network, depending on the malleable C2 profile used, it is near infinite in the amount of ways to conceal the C2 traffic with Cobalt Strike. Not every query may be specific to Cobalt Strike the tool, but the methodologies and techniques used by it.\\\nSplunk Threat Research reviewed all publicly available instances of Malleabe C2 Profiles and generated a list of the most commonly used spawnto and pipenames.\\\n`Spawnto_x86` and `spawnto_x64` is the process that Cobalt Strike will spawn and injects shellcode into.\\\nPipename sets the named pipe name used in Cobalt Strikes Beacon SMB C2 traffic.\\\nWith that, new detections were generated focused on these spawnto processes spawning without command line arguments. Similar, the named pipes most commonly used by Cobalt Strike added as a detection. In generating content for Cobalt Strike, the following is considered:\\\n- Is it normal for spawnto_ value to have no command line arguments? No command line arguments and a network connection?\\\n- What is the default, or normal, process lineage for spawnto_ value?\\\n- Does the spawnto_ value make network connections?\\\n- Is it normal for spawnto_ value to load jscript, vbscript, Amsi.dll, and clr.dll?\\\nWhile investigating a detection related to this Analytic Story, keep in mind the parent process, process path, and any file modifications that may occur. Tuning may need to occur to remove any false positives.", "references": ["https://www.cobaltstrike.com/", "https://www.infocyte.com/blog/2020/09/02/cobalt-strike-the-new-favorite-among-thieves/", "https://bluescreenofjeff.com/2017-01-24-how-to-write-malleable-c2-profiles-for-cobalt-strike/", "https://blog.talosintelligence.com/2020/09/coverage-strikes-back-cobalt-strike-paper.html", "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html", "https://github.com/MichaelKoczwara/Awesome-CobaltStrike-Defence", "https://github.com/zer0yu/Awesome-CobaltStrike"], "tags": {"name": "Cobalt Strike", "analytic_story": "Cobalt Strike", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN13", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1127.001", "mitre_attack_technique": "MSBuild", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Collection", "Defense Evasion", "Execution", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Anomalous usage of 7zip - Rule", "ESCU - CMD Echo Pipe - Escalation - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Detect Regsvr32 Application Control Bypass - Rule", "ESCU - DLLHost with no Command Line Arguments with Network - Rule", "ESCU - GPUpdate with no Command Line Arguments with Network - Rule", "ESCU - Rundll32 with no Command Line Arguments with Network - Rule", "ESCU - SearchProtocolHost with no Command Line with Network - Rule", "ESCU - Services Escalate Exe - Rule", "ESCU - Suspicious DLLHost no Command Line Arguments - Rule", "ESCU - Suspicious GPUpdate no Command Line Arguments - Rule", "ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", "ESCU - Suspicious Rundll32 StartW - Rule", "ESCU - Suspicious SearchProtocolHost no Command Line Arguments - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Anomalous usage of 7zip", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}}, {"name": "CMD Echo Pipe - Escalation", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Cobalt Strike Named Pipes", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Detect Regsvr32 Application Control Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "DLLHost with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "GPUpdate with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Rundll32 with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "SearchProtocolHost with no Command Line with Network", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Services Escalate Exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Suspicious DLLHost no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Suspicious GPUpdate no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Suspicious microsoft workflow compiler rename", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Suspicious msbuild path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}}, {"name": "Suspicious MSBuild Rename", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}}, {"name": "Suspicious Rundll32 no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Suspicious Rundll32 StartW", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Suspicious SearchProtocolHost no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}]}, {"name": "ColdRoot MacOS RAT", "author": "Jose Hernandez, Splunk", "date": "2019-01-09", "version": 1, "id": "bd91a2bc-d20b-4f44-a982-1bea98e86390", "description": "Leverage searches that allow you to detect and investigate unusual activities that relate to the ColdRoot Remote Access Trojan that affects MacOS. An example of some of these activities are changing sensative binaries in the MacOS sub-system, detecting process names and executables associated with the RAT, detecting when a keyboard tab is installed on a MacOS machine and more.", "narrative": "Conventional wisdom holds that Apple's MacOS operating system is significantly less vulnerable to attack than Windows machines. While that point is debatable, it is true that attacks against MacOS systems are much less common. However, this fact does not mean that Macs are impervious to breaches. To the contrary, research has shown that that Mac malware is increasing at an alarming rate. According to AV-test, in 2018, there were 86,865 new MacOS malware variants, up from 27,338 the year before&#151;a 31% increase. In contrast, the independent research firm found that new Windows malware had increased from 65.17M to 76.86M during that same period, less than half the rate of growth. The bottom line is that while the numbers look a lot smaller than Windows, it's definitely time to take Mac security more seriously.\\\nThis Analytic Story addresses the ColdRoot remote access trojan (RAT), which was uploaded to Github in 2016, but was still escaping detection by the first quarter of 2018, when a new, more feature-rich variant was discovered masquerading as an Apple audio driver. Among other capabilities, the Pascal-based ColdRoot can heist passwords from users' keychains and remotely control infected machines without detection. In the initial report of his findings, Patrick Wardle, Chief Research Officer for Digita Security, explained that the new ColdRoot RAT could start and kill processes on the breached system, spawn new remote-desktop sessions, take screen captures and assemble them into a live stream of the victim's desktop, and more.\\\nSearches in this Analytic Story leverage the capabilities of OSquery to address ColdRoot detection from several different angles, such as looking for the existence of associated files and processes, and monitoring for signs of an installed keylogger.", "references": ["https://www.intego.com/mac-security-blog/osxcoldroot-and-the-rat-invasion/", "https://objective-see.com/blog/blog_0x2A.html", "https://www.bleepingcomputer.com/news/security/coldroot-rat-still-undetectable-despite-being-uploaded-on-github-two-years-ago/"], "tags": {"name": "ColdRoot MacOS RAT", "analytic_story": "ColdRoot MacOS RAT", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Endpoint"], "kill_chain_phases": []}, "detection_names": ["ESCU - Osquery pack - ColdRoot detection - Rule", "ESCU - MacOS - Re-opened Applications - Rule", "ESCU - Processes Tapping Keyboard Events - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Investigate Network Traffic From src ip - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Jose Hernandez", "detections": [{"name": "Osquery pack - ColdRoot detection", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "MacOS - Re-opened Applications", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "Processes Tapping Keyboard Events", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "Collection and Staging", "author": "Rico Valdez, Splunk", "date": "2020-02-03", "version": 1, "id": "8e03c61e-13c4-4dcd-bfbe-5ce5a8dc031a", "description": "Monitor for and investigate activities--such as suspicious writes to the Windows Recycling Bin or email servers sending high amounts of traffic to specific hosts, for example--that may indicate that an adversary is harvesting and exfiltrating sensitive data. ", "narrative": "A common adversary goal is to identify and exfiltrate data of value from a target organization. This data may include email conversations and addresses, confidential company information, links to network design/infrastructure, important dates, and so on.\\\n Attacks are composed of three activities: identification, collection, and staging data for exfiltration. Identification typically involves scanning systems and observing user activity. Collection can involve the transfer of large amounts of data from various repositories. Staging/preparation includes moving data to a central location and compressing (and optionally encoding and/or encrypting) it. All of these activities provide opportunities for defenders to identify their presence. \\\nUse the searches to detect and monitor suspicious behavior related to these activities.", "references": ["https://attack.mitre.org/wiki/Collection", "https://attack.mitre.org/wiki/Technique/T1074"], "tags": {"name": "Collection and Staging", "analytic_story": "Collection and Staging", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}, {"mitre_attack_id": "T1114.001", "mitre_attack_technique": "Local Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "Chimera", "Magic Hound"]}, {"mitre_attack_id": "T1114.002", "mitre_attack_technique": "Remote Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "Chimera", "Dragonfly", "FIN4", "HAFNIUM", "Ke3chang", "Kimsuky", "Leafminer", "Magic Hound"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN13", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}], "mitre_attack_tactics": ["Collection", "Defense Evasion"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Email files written outside of the Outlook directory - Rule", "ESCU - Email servers sending high volume traffic to hosts - Rule", "ESCU - Suspicious writes to System Volume Information - Rule", "ESCU - Detect Renamed 7-Zip - Rule", "ESCU - Detect Renamed WinRAR - Rule", "ESCU - Suspicious writes to windows Recycle Bin - Rule", "ESCU - Hosts receiving high volume of network traffic from email server - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Email files written outside of the Outlook directory", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Email Collection"}, {"mitre_attack_technique": "Local Email Collection"}]}}, {"name": "Email servers sending high volume traffic to hosts", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Email Collection"}, {"mitre_attack_technique": "Remote Email Collection"}]}}, {"name": "Suspicious writes to System Volume Information", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Detect Renamed 7-Zip", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}}, {"name": "Detect Renamed WinRAR", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}}, {"name": "Suspicious writes to windows Recycle Bin", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Hosts receiving high volume of network traffic from email server", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Email Collection"}, {"mitre_attack_technique": "Email Collection"}]}}]}, {"name": "Command And Control", "author": "Rico Valdez, Splunk", "date": "2018-06-01", "version": 1, "id": "943773c6-c4de-4f38-89a8-0b92f98804d8", "description": "Detect and investigate tactics, techniques, and procedures leveraged by attackers to establish and operate Command And Control channels. Implants installed by attackers on compromised endpoints use these channels to receive instructions and send data back to the malicious operators.", "narrative": "Threat actors typically architect and implement an infrastructure to use in various ways during the course of their attack campaigns. In some cases, they leverage this infrastructure for scanning and performing reconnaissance activities. In others, they may use this infrastructure to launch actual attacks. One of the most important functions of this infrastructure is to establish servers that will communicate with implants on compromised endpoints. These servers establish a command and control channel that is used to proxy data between the compromised endpoint and the attacker. These channels relay commands from the attacker to the compromised endpoint and the output of those commands back to the attacker.\\\nBecause this communication is so critical for an adversary, they often use techniques designed to hide the true nature of the communications. There are many different techniques used to establish and communicate over these channels. This Analytic Story provides searches that look for a variety of the techniques used for these channels, as well as indications that these channels are active, by examining logs associated with border control devices and network-access control lists.", "references": ["https://attack.mitre.org/wiki/Command_and_Control", "https://searchsecurity.techtarget.com/feature/Command-and-control-servers-The-puppet-masters-that-govern-malware"], "tags": {"name": "Command And Control", "analytic_story": "Command And Control", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1071.004", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT39", "APT41", "Chimera", "Cobalt Group", "FIN7", "Ke3chang", "LazyScripter", "OilRig", "Tropic Trooper"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1219", "mitre_attack_technique": "Remote Access Software", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Carbanak", "Cobalt Group", "DarkVishnya", "Evilnum", "FIN7", "GOLD SOUTHFIELD", "Kimsuky", "MuddyWater", "Mustang Panda", "RTM", "Sandworm Team", "TeamTNT", "Thrip"]}, {"mitre_attack_id": "T1568.002", "mitre_attack_technique": "Domain Generation Algorithms", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "TA551"]}, {"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}, {"mitre_attack_id": "T1095", "mitre_attack_technique": "Non-Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT3", "BITTER", "BackdoorDiplomacy", "FIN6", "HAFNIUM", "Metador", "PLATINUM"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Magic Hound", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "MoustachedBouncer", "POLONIUM", "Sandworm Team", "Turla", "Volt Typhoon", "Windigo"]}, {"mitre_attack_id": "T1090.003", "mitre_attack_technique": "Multi-hop Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT28", "APT29", "FIN4", "Inception", "Leviathan"]}], "mitre_attack_tactics": ["Command And Control", "Exfiltration", "Initial Access"], "datamodels": ["Endpoint", "Network_Resolution", "Network_Traffic"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery"]}, "detection_names": ["ESCU - Detect Spike in blocked Outbound Traffic from your AWS - Rule", "ESCU - Clients Connecting to Multiple DNS Servers - Rule", "ESCU - Detect Long DNS TXT Record Response - Rule", "ESCU - Detection of DNS Tunnels - Rule", "ESCU - DNS Query Requests Resolved by Unauthorized DNS Servers - Rule", "ESCU - DNS Exfiltration Using Nslookup App - Rule", "ESCU - Excessive Usage of NSLOOKUP App - Rule", "ESCU - Windows Remote Access Software Hunt - Rule", "ESCU - Detect DGA domains using pretrained model in DSDL - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule", "ESCU - Detect Large Outbound ICMP Packets - Rule", "ESCU - DNS Query Length Outliers - MLTK - Rule", "ESCU - DNS Query Length With High Standard Deviation - Rule", "ESCU - Excessive DNS Failures - Rule", "ESCU - Multiple Archive Files Http Post Traffic - Rule", "ESCU - Plain HTTP POST Exfiltrated Data - Rule", "ESCU - Prohibited Network Traffic Allowed - Rule", "ESCU - Protocol or Port Mismatch - Rule", "ESCU - TOR Traffic - Rule"], "investigation_names": ["ESCU - AWS Investigate User Activities By ARN - Response Task", "ESCU - AWS Network ACL Details from ID - Response Task", "ESCU - AWS Network Interface details via resourceId - Response Task", "ESCU - Get All AWS Activity From IP Address - Response Task", "ESCU - Get DNS Server History for a host - Response Task", "ESCU - Get DNS traffic ratio - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Process Information For Port Activity - Response Task", "ESCU - Get Process Responsible For The DNS Traffic - Response Task"], "baseline_names": ["ESCU - Baseline of blocked outbound traffic from AWS", "ESCU - Baseline of DNS Query Length - MLTK", "ESCU - Count of Unique IPs Connecting to Ports"], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Detect Spike in blocked Outbound Traffic from your AWS", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Clients Connecting to Multiple DNS Servers", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}}, {"name": "Detect Long DNS TXT Record Response", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}}, {"name": "Detection of DNS Tunnels", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}}, {"name": "DNS Query Requests Resolved by Unauthorized DNS Servers", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DNS"}]}}, {"name": "DNS Exfiltration Using Nslookup App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Excessive Usage of NSLOOKUP App", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Windows Remote Access Software Hunt", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Access Software"}]}}, {"name": "Detect DGA domains using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Generation Algorithms"}]}}, {"name": "Detect hosts connecting to dynamic domain providers", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}, {"name": "Detect Large Outbound ICMP Packets", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Non-Application Layer Protocol"}]}}, {"name": "DNS Query Length Outliers - MLTK", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DNS"}, {"mitre_attack_technique": "Application Layer Protocol"}]}}, {"name": "DNS Query Length With High Standard Deviation", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Excessive DNS Failures", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DNS"}, {"mitre_attack_technique": "Application Layer Protocol"}]}}, {"name": "Multiple Archive Files Http Post Traffic", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Plain HTTP POST Exfiltrated Data", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Prohibited Network Traffic Allowed", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Protocol or Port Mismatch", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "TOR Traffic", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Multi-hop Proxy"}]}}]}, {"name": "Compromised User Account", "author": "Mauricio Velazco, Bhavin Patel, Splunk", "date": "2023-01-19", "version": 1, "id": "19669154-e9d1-4a01-b144-e6592a078092", "description": "Monitor for activities and techniques associated with Compromised User Account attacks.", "narrative": "Compromised User Account occurs when cybercriminals gain unauthorized access to accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. By posing as the real user, cyber-criminals can change account details, send out phishing emails, steal financial information or sensitive data, or use any stolen information to access further accounts within the organization. This analytic storic groups detections that can help security operations teams identify the potential signs of Compromised User Accounts.", "references": ["https://www.proofpoint.com/us/threat-reference/compromised-account"], "tags": {"name": "Compromised User Account", "analytic_story": "Compromised User Account", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1556.006", "mitre_attack_technique": "Multi-Factor Authentication", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1098.005", "mitre_attack_technique": "Device Registration", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1185", "mitre_attack_technique": "Browser Session Hijacking", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1201", "mitre_attack_technique": "Password Policy Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "OilRig", "Turla"]}, {"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1110.001", "mitre_attack_technique": "Password Guessing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["FIN13"]}], "mitre_attack_tactics": ["Collection", "Credential Access", "Defense Evasion", "Discovery", "Initial Access", "Persistence", "Privilege Escalation", "Resource Development"], "datamodels": ["Authentication", "Change"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"]}, "detection_names": ["ESCU - PingID Mismatch Auth Source and Verification Response - Rule", "ESCU - PingID Multiple Failed MFA Requests For User - Rule", "ESCU - PingID New MFA Method After Credential Reset - Rule", "ESCU - PingID New MFA Method Registered For User - Rule", "ESCU - Abnormally High Number Of Cloud Infrastructure API Calls - Rule", "ESCU - ASL AWS Concurrent Sessions From Different Ips - Rule", "ESCU - ASL AWS Password Policy Changes - Rule", "ESCU - AWS Concurrent Sessions From Different Ips - Rule", "ESCU - AWS Console Login Failed During MFA Challenge - Rule", "ESCU - AWS High Number Of Failed Authentications For User - Rule", "ESCU - AWS High Number Of Failed Authentications From Ip - Rule", "ESCU - AWS Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - AWS Password Policy Changes - Rule", "ESCU - AWS Successful Console Authentication From Multiple IPs - Rule", "ESCU - Azure AD Concurrent Sessions From Different Ips - Rule", "ESCU - Azure AD High Number Of Failed Authentications For User - Rule", "ESCU - Azure AD High Number Of Failed Authentications From Ip - Rule", "ESCU - Azure AD New MFA Method Registered For User - Rule", "ESCU - Azure AD Successful Authentication From Different Ips - Rule", "ESCU - Detect AWS Console Login by User from New City - Rule", "ESCU - Detect AWS Console Login by User from New Country - Rule", "ESCU - Detect AWS Console Login by User from New Region - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Bhavin Patel, Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "PingID Mismatch Auth Source and Verification Response", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}, {"mitre_attack_technique": "Multi-Factor Authentication"}, {"mitre_attack_technique": "Device Registration"}]}}, {"name": "PingID Multiple Failed MFA Requests For User", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "PingID New MFA Method After Credential Reset", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}, {"mitre_attack_technique": "Multi-Factor Authentication"}, {"mitre_attack_technique": "Device Registration"}]}}, {"name": "PingID New MFA Method Registered For User", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}, {"mitre_attack_technique": "Multi-Factor Authentication"}, {"mitre_attack_technique": "Device Registration"}]}}, {"name": "Abnormally High Number Of Cloud Infrastructure API Calls", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "ASL AWS Concurrent Sessions From Different Ips", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Browser Session Hijacking"}]}}, {"name": "ASL AWS Password Policy Changes", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Policy Discovery"}]}}, {"name": "AWS Concurrent Sessions From Different Ips", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Browser Session Hijacking"}]}}, {"name": "AWS Console Login Failed During MFA Challenge", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}}, {"name": "AWS High Number Of Failed Authentications For User", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Policy Discovery"}]}}, {"name": "AWS High Number Of Failed Authentications From Ip", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}}, {"name": "AWS Multiple Users Failing To Authenticate From Ip", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}}, {"name": "AWS Password Policy Changes", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Policy Discovery"}]}}, {"name": "AWS Successful Console Authentication From Multiple IPs", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "Azure AD Concurrent Sessions From Different Ips", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Browser Session Hijacking"}]}}, {"name": "Azure AD High Number Of Failed Authentications For User", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}]}}, {"name": "Azure AD High Number Of Failed Authentications From Ip", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}, {"mitre_attack_technique": "Password Spraying"}]}}, {"name": "Azure AD New MFA Method Registered For User", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}}, {"name": "Azure AD Successful Authentication From Different Ips", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}, {"mitre_attack_technique": "Password Spraying"}]}}, {"name": "Detect AWS Console Login by User from New City", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "Detect AWS Console Login by User from New Country", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "Detect AWS Console Login by User from New Region", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}]}, {"name": "Credential Dumping", "author": "Rico Valdez, Splunk", "date": "2020-02-04", "version": 3, "id": "854d78bf-d0e2-4f4e-b05c-640905f86d7a", "description": "Uncover activity consistent with credential dumping, a technique wherein attackers compromise systems and attempt to obtain and exfiltrate passwords. The threat actors use these pilfered credentials to further escalate privileges and spread throughout a target environment. The included searches in this Analytic Story are designed to identify attempts to credential dumping.", "narrative": "Credential dumping&#151;gathering credentials from a target system, often hashed or encrypted&#151;is a common attack technique. Even though the credentials may not be in plain text, an attacker can still exfiltrate the data and set to cracking it offline, on their own systems. The threat actors target a variety of sources to extract them, including the Security Accounts Manager (SAM), Local Security Authority (LSA), NTDS from Domain Controllers, or the Group Policy Preference (GPP) files.\\\nOnce attackers obtain valid credentials, they use them to move throughout a target network with ease, discovering new systems and identifying assets of interest. Credentials obtained in this manner typically include those of privileged users, which may provide access to more sensitive information and system operations.\\\nThe detection searches in this Analytic Story monitor access to the Local Security Authority Subsystem Service (LSASS) process, the usage of shadowcopies for credential dumping and some other techniques for credential dumping.", "references": ["https://attack.mitre.org/wiki/Technique/T1003", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html"], "tags": {"name": "Credential Dumping", "analytic_story": "Credential Dumping", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1078.003", "mitre_attack_technique": "Local Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "FIN10", "HAFNIUM", "Kimsuky", "PROMETHIUM", "Tropic Trooper", "Turla"]}, {"mitre_attack_id": "T1552.001", "mitre_attack_technique": "Credentials In Files", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "FIN13", "Fox Kitten", "Kimsuky", "Leafminer", "MuddyWater", "OilRig", "TA505", "TeamTNT"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003.006", "mitre_attack_technique": "DCSync", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Earth Lusca", "LAPSUS$"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Execution", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Authentication", "Change", "Endpoint"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Dump LSASS via procdump Rename - Rule", "ESCU - Unsigned Image Loaded by LSASS - Rule", "ESCU - Access LSASS Memory for Dump Creation - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - Create Remote Thread into LSASS - Rule", "ESCU - Creation of lsass Dump with Taskmgr - Rule", "ESCU - Creation of Shadow Copy - Rule", "ESCU - Creation of Shadow Copy with wmic and powershell - Rule", "ESCU - Credential Dumping via Copy Command from Shadow Copy - Rule", "ESCU - Credential Dumping via Symlink to Shadow Copy - Rule", "ESCU - Detect Copy of ShadowCopy with Script Block Logging - Rule", "ESCU - Detect Credential Dumping through LSASS access - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Dump LSASS via procdump - Rule", "ESCU - Enable WDigest UseLogonCredential Registry - Rule", "ESCU - Esentutl SAM Copy - Rule", "ESCU - Extraction of Registry Hives - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - Potential password in username - Rule", "ESCU - SAM Database File Access Attempt - Rule", "ESCU - SecretDumps Offline NTDS Dumping Tool - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - Windows AD Replication Request Initiated by User Account - Rule", "ESCU - Windows AD Replication Request Initiated from Unsanctioned Location - Rule", "ESCU - Windows Credential Dumping LSASS Memory Createdump - Rule", "ESCU - Windows Hunting System Account Targeting Lsass - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Non-System Account Targeting Lsass - Rule", "ESCU - Windows Possible Credential Dumping - Rule"], "investigation_names": ["ESCU - Investigate Failed Logins for Multiple Destinations - Response Task", "ESCU - Investigate Pass the Hash Attempts - Response Task", "ESCU - Investigate Pass the Ticket Attempts - Response Task", "ESCU - Investigate Previous Unseen User - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Dump LSASS via procdump Rename", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}]}}, {"name": "Unsigned Image Loaded by LSASS", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}]}}, {"name": "Access LSASS Memory for Dump Creation", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Attempted Credential Dump From Registry via Reg exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Create Remote Thread into LSASS", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Creation of lsass Dump with Taskmgr", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Creation of Shadow Copy", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Creation of Shadow Copy with wmic and powershell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Credential Dumping via Copy Command from Shadow Copy", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Credential Dumping via Symlink to Shadow Copy", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Detect Copy of ShadowCopy with Script Block Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Detect Credential Dumping through LSASS access", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Dump LSASS via procdump", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Enable WDigest UseLogonCredential Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Esentutl SAM Copy", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Extraction of Registry Hives", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Ntdsutil Export NTDS", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Potential password in username", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Local Accounts"}, {"mitre_attack_technique": "Credentials In Files"}]}}, {"name": "SAM Database File Access Attempt", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "SecretDumps Offline NTDS Dumping Tool", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Windows AD Replication Request Initiated by User Account", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DCSync"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows AD Replication Request Initiated from Unsanctioned Location", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DCSync"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows Credential Dumping LSASS Memory Createdump", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}]}}, {"name": "Windows Hunting System Account Targeting Lsass", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows Mimikatz Binary Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows Non-System Account Targeting Lsass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows Possible Credential Dumping", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}]}, {"name": "CVE-2022-40684 Fortinet Appliance Auth bypass", "author": "Michael Haag, Splunk", "date": "2022-10-14", "version": 1, "id": "55721831-577e-41be-beef-bdc03c81486a", "description": "Fortinet recently patched a critical authentication bypass vulnerability in their FortiOS, FortiProxy, and FortiSwitchManager projects CVE-2022-40684.", "narrative": "FortiOS exposes a management web portal that allows a user configure the system. Additionally, a user can SSH into the system which exposes a locked down CLI interface. Any HTTP requests to the management interface of the system that match the conditions above should be cause for concern. An attacker can use this vulnerability to do just about anything they want to the vulnerable system. This includes changing network configurations, adding new users, and initiating packet captures. Note that this is not the only way to exploit this vulnerability and there may be other sets of conditions that work. For instance, a modified version of this exploit uses the User-Agent Node.js. This exploit seems to follow a trend among recently discovered enterprise software vulnerabilities where HTTP headers are improperly validated or overly trusted. (ref Horizon3.ai)", "references": ["https://www.wordfence.com/blog/2022/10/threat-advisory-cve-2022-40684-fortinet-appliance-auth-bypass/", "https://www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684/", "https://github.com/horizon3ai/CVE-2022-40684", "https://attackerkb.com/topics/QWOxGIKkGx/cve-2022-40684/rapid7-analysis", "https://www.greynoise.io/blog/fortios-authentication-bypass"], "tags": {"name": "CVE-2022-40684 Fortinet Appliance Auth bypass", "analytic_story": "CVE-2022-40684 Fortinet Appliance Auth bypass", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}], "mitre_attack_tactics": ["Initial Access", "Persistence"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery", "Installation"]}, "detection_names": ["ESCU - Fortinet Appliance Auth bypass - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Fortinet Appliance Auth bypass", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}]}, {"name": "CVE-2023-21716 Word RTF Heap Corruption", "author": "Michael Haag, Splunk", "date": "2023-03-10", "version": 1, "id": "b1aeaf2c-8496-42e7-b2f7-15c328bc75d9", "description": "A proof-of-concept for CVE-2023-21716, a critical vulnerability in Microsoft Word that allows remote code execution utilizing a heap corruption in rich text files.", "narrative": "This analytic story covers content that will assist organizations in identifying potential RTF RCE abuse on endpoints. The vulnerability was assigned a 9.8 out of 10 severity score, with Microsoft addressing it in the February Patch Tuesday security updates along with a couple of workarounds. Security researcher Joshua Drake last year discovered the vulnerability in Microsoft Office''s \"wwlib.dll\" and sent Microsoft a technical advisory containing proof-of-concept (PoC) code showing the issue is exploitable. A remote attacker could potentially take advantage of the issue to execute code with the same privileges as the victim that opens a malicious .RTF document. Delivering the malicious file to a victim can be as easy as an attachment to an email, although plenty of other methods exist. Microsoft warns that users don''t have to open a malicious RTF document and simply loading the file in the Preview Pane is enough for the compromise to start. (BleepingComputer, 2023)", "references": ["https://www.bleepingcomputer.com/news/security/proof-of-concept-released-for-critical-microsoft-word-rce-bug/"], "tags": {"name": "CVE-2023-21716 Word RTF Heap Corruption", "analytic_story": "CVE-2023-21716 Word RTF Heap Corruption", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - Office Application Drop Executable - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Winword Spawning Cmd - Rule", "ESCU - Winword Spawning PowerShell - Rule", "ESCU - Winword Spawning Windows Script Host - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Office Application Drop Executable", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Winword Spawning Cmd", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Winword Spawning PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Winword Spawning Windows Script Host", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}]}, {"name": "CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server", "author": "Michael Haag, Splunk", "date": "2023-10-04", "version": 1, "id": "ead8eb10-9e7c-4a07-a44c-c6e73997a1a3", "description": "On October 4, 2023, Atlassian disclosed a critical privilege escalation vulnerability, CVE-2023-22515, affecting on-premises instances of Confluence Server and Confluence Data Center. This flaw might allow external attackers to exploit accessible Confluence instances, creating unauthorized Confluence administrator accounts. Indicators suggest the vulnerability is remotely exploitable. The affected versions range from 8.0.0 to 8.5.1, but versions prior to 8.0.0 and Atlassian Cloud sites are unaffected. Atlassian advises customers to update to a fixed version or implement mitigation strategies. Indicators of compromise (IoCs) and mitigation steps, such as blocking access to /setup/* endpoints, are provided.", "narrative": "Upon Atlassian's disclosure of CVE-2023-22515, there's an immediate need to assess the threat landscape of on-premises Confluence installations. As the vulnerability affects privilege escalation and may be exploited remotely, SIEM solutions should be poised to detect potential threats.\\\nBy monitoring for specific indicators of compromise, security teams can get ahead of any potential breaches. Key indicators include unexpected members in the 'confluence-administrator' group, newly created user accounts, and specific HTTP requests to /setup/*.action endpoints. Any unusual spikes or patterns associated with these indicators might signify an ongoing or attempted exploitation. \\\nFurthermore, an audit trail of past logs is essential. Analyzing older logs might uncover any unnoticed exploitation, allowing for a post-incident analysis and ensuring affected systems are patched or isolated. An alert mechanism should be established for any access or changes related to /setup/* endpoints. \\\nIn parallel, updating the affected Confluence Server and Data Center versions to the fixed releases is paramount. If immediate updates aren't feasible, interim mitigation measures, such as blocking external network access to /setup/*, should be implemented, and logs around this activity should be monitored.", "references": ["https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html", "https://www.rapid7.com/blog/post/2023/10/04/etr-cve-2023-22515-zero-day-privilege-escalation-in-confluence-server-and-data-center/"], "tags": {"name": "CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server", "analytic_story": "CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - Confluence CVE-2023-22515 Trigger Vulnerability - Rule", "ESCU - Confluence Data Center and Server Privilege Escalation - Rule", "ESCU - Web Remote ShellServlet Access - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Confluence CVE-2023-22515 Trigger Vulnerability", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}, {"name": "Confluence Data Center and Server Privilege Escalation", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}, {"name": "Web Remote ShellServlet Access", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}]}, {"name": "CVE-2023-23397 Outlook Elevation of Privilege", "author": "Michael Haag, Splunk", "date": "2023-03-15", "version": 1, "id": "b459911b-551f-480f-a402-18cf89ca1e9c", "description": "Microsoft has released CVE-2023-23397 to address the critical elevation of privilege (EoP) vulnerability affecting Microsoft Outlook for Windows.", "narrative": "Microsoft Threat Intelligence discovered limited, targeted abuse of a vulnerability in Microsoft Outlook for Windows that allows for new technology LAN manager (NTLM) credential theft. Microsoft has released CVE-2023-23397 to address the critical elevation of privilege (EoP) vulnerability affecting Microsoft Outlook for Windows. We strongly recommend all customers update Microsoft Outlook for Windows to remain secure.\\ CVE-2023-23397 is a critical EoP vulnerability in Microsoft Outlook that is triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server. No user interaction is required.\\ The connection to the remote SMB server sends the user''s NTLM negotiation message, which the attacker can then relay for authentication against other systems that support NTLM authentication. Online services such as Microsoft 365 do not support NTLM authentication and are not vulnerable to being attacked by these messages. (2023, Microsoft)", "references": ["https://twitter.com/ACEResponder/status/1636116096506818562?s=20", "https://twitter.com/domchell/status/1635999068282408962?s=20", "https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/", "https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/"], "tags": {"name": "CVE-2023-23397 Outlook Elevation of Privilege", "analytic_story": "CVE-2023-23397 Outlook Elevation of Privilege", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}], "mitre_attack_tactics": ["Exfiltration"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Actions on Objectives"]}, "detection_names": ["ESCU - Windows Rundll32 WebDAV Request - Rule", "ESCU - Windows Rundll32 WebDav With Network Connection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Rundll32 WebDAV Request", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}}, {"name": "Windows Rundll32 WebDav With Network Connection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}}]}, {"name": "CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "author": "Michael Haag, Splunk", "date": "2023-07-11", "version": 1, "id": "dd7fb691-63d6-47ad-9a7f-1b9005cefad2", "description": "CVE-2023-36884 is an unpatched zero-day vulnerability affecting Windows and Microsoft Office products. The vulnerability allows for remote code execution through specially crafted Microsoft Office documents, enabling an attacker to operate in the context of the victim. As of now, there are no security updates available. However, users of Microsoft Defender for Office and the \"Block all Office applications from creating child processes\" Attack Surface Reduction Rule are safeguarded against this exploit. For other users, temporary mitigation can be achieved by adding specific application names to a designated registry key.", "narrative": "CVE-2023-36884 is a serious security vulnerability that affects a range of Microsoft Office products and Windows systems. It is a zero-day flaw, meaning it was already being exploited before Microsoft became aware of it or had a chance to develop a patch. \\\nAn attacker exploiting this vulnerability would create a Microsoft Office document containing malicious code. This document, when opened by the victim, allows for remote code execution, giving the attacker the ability to run their own code on the victim's machine. This poses a significant risk as the attacker could perform actions like data theft, system damage, or creating backdoors for future access. \\\nCurrently, there is no security patch available from Microsoft, which makes the issue more critical. Microsoft is working on investigating these vulnerabilities and will likely provide a security update either through their monthly release cycle or an out-of-cycle update, based on the urgency. \\\nIn the meantime, users of Microsoft Defender for Office and those utilizing the \"Block all Office applications from creating child processes\" Attack Surface Reduction Rule are protected from attempts to exploit this vulnerability. This is because these protections add an extra layer of security, blocking the malicious code from executing. \\\nFor users who are not using these protections, Microsoft recommends a workaround by adding specific application names to a particular Windows registry key (HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION) with data set as \"1\". This action aims to mitigate the risk until a permanent fix is available. \\\nThe disclosure of this flaw involved multiple entities including Microsoft Threat Intelligence, Vlad Stolyarov, Clement Lecigne and Bahare Sabouri from Google's Threat Analysis Group (TAG), Paul Rascagneres and Tom Lancaster from Volexity, and the Microsoft Office Product Group Security Team. This collective effort indicates the severity and importance of addressing this issue.", "references": ["https://gist.github.com/MHaggis/22ad19081300493e70ce0b873e98b2d0", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884", "https://www.bleepingcomputer.com/news/microsoft/microsoft-july-2023-patch-tuesday-warns-of-6-zero-days-132-flaws/", "https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/"], "tags": {"name": "CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "analytic_story": "CVE-2023-36884 Office and Windows HTML RCE Vulnerability", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - MSHTML Module Load in Office Product - Rule", "ESCU - Office Document Spawned Child Process To Download - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning BITSAdmin - Rule", "ESCU - Office Product Spawning CertUtil - Rule", "ESCU - Office Product Spawning MSHTA - Rule", "ESCU - Office Product Spawning Rundll32 with no DLL - Rule", "ESCU - Office Product Spawning Windows Script Host - Rule", "ESCU - Office Product Spawning Wmic - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "MSHTML Module Load in Office Product", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Document Spawned Child Process To Download", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning BITSAdmin", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning CertUtil", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning MSHTA", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning Rundll32 with no DLL", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning Windows Script Host", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning Wmic", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}]}, {"name": "CyclopsBLink", "author": "Teoderick Contreras, Splunk", "date": "2022-04-07", "version": 1, "id": "7c75b1c8-dfff-46f1-8250-e58df91b6fd9", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the cyclopsblink malware including firewall modification, spawning more process, botnet c2 communication, defense evasion and etc. Cyclops Blink is a Linux ELF executable compiled for 32-bit x86 and PowerPC architecture that has targeted several network devices. The complete list of targeted devices is unknown at this time, but WatchGuard FireBox has specifically been listed as a target. The modular malware consists of core components and modules that are deployed as child processes using the Linux API fork. At this point, four modules have been identified that download and upload files, gather system information and contain updating mechanisms for the malware itself. Additional modules can be downloaded and executed from the Command And Control (C2) server.", "narrative": "Adversaries may use this technique to maximize the impact on the target organization in operations where network wide availability interruption is the goal.", "references": ["https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf", "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html"], "tags": {"name": "CyclopsBLink", "analytic_story": "Cyclops BLink", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1036.004", "mitre_attack_technique": "Masquerade Task or Service", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT41", "BITTER", "BackdoorDiplomacy", "Carbanak", "FIN13", "FIN6", "FIN7", "Fox Kitten", "Higaisa", "Kimsuky", "Lazarus Group", "Magic Hound", "Naikon", "PROMETHIUM", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Linux Iptables Firewall Modification - Rule", "ESCU - Linux Kworker Process In Writable Process Path - Rule", "ESCU - Linux Stdout Redirection To Dev Null File - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux Iptables Firewall Modification", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Linux Kworker Process In Writable Process Path", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerade Task or Service"}, {"mitre_attack_technique": "Masquerading"}]}}, {"name": "Linux Stdout Redirection To Dev Null File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}]}, {"name": "DarkCrystal RAT", "author": "Teoderick Contreras, Splunk", "date": "2022-07-26", "version": 1, "id": "639e6006-0885-4847-9394-ddc2902629bf", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the DcRat malware including ddos, spawning more process, botnet c2 communication, defense evasion and etc. The DcRat malware is known commercial backdoor that was first released in 2018. This tool was sold in underground forum and known to be one of the cheapest commercial RATs. DcRat is modular and bespoke plugin framework make it a very flexible option, helpful for a range of nefearious uses.", "narrative": "Adversaries may use this technique to maximize the impact on the target organization in operations where network wide availability interruption is the goal.", "references": ["https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor", "https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat"], "tags": {"name": "DarkCrystal RAT", "analytic_story": "DarkCrystal RAT", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1592.001", "mitre_attack_technique": "Hardware", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1590.005", "mitre_attack_technique": "IP Addresses", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["Andariel", "HAFNIUM", "Magic Hound"]}, {"mitre_attack_id": "T1590", "mitre_attack_technique": "Gather Victim Network Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["HAFNIUM"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1124", "mitre_attack_technique": "System Time Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Darkhotel", "Higaisa", "Lazarus Group", "Sidewinder", "The White Company", "Turla", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Command And Control", "Defense Evasion", "Discovery", "Execution", "Impact", "Initial Access", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - Any Powershell DownloadFile - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Windows Command Shell DCRat ForkBomb Payload - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows Gather Victim Host Information Camera - Rule", "ESCU - Windows Gather Victim Network Info Through Ip Check Web Services - Rule", "ESCU - Windows High File Deletion Frequency - Rule", "ESCU - Windows Ingress Tool Transfer Using Explorer - Rule", "ESCU - Windows System LogOff Commandline - Rule", "ESCU - Windows System Reboot CommandLine - Rule", "ESCU - Windows System Shutdown CommandLine - Rule", "ESCU - Windows System Time Discovery W32tm Delay - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule", "ESCU - Winword Spawning Cmd - Rule", "ESCU - Winword Spawning PowerShell - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}}, {"name": "Malicious PowerShell Process - Execution Policy Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Windows Command Shell DCRat ForkBomb Payload", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "System Network Connections Discovery"}, {"mitre_attack_technique": "System Owner/User Discovery"}, {"mitre_attack_technique": "System Shutdown/Reboot"}, {"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows Gather Victim Host Information Camera", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hardware"}, {"mitre_attack_technique": "Gather Victim Host Information"}]}}, {"name": "Windows Gather Victim Network Info Through Ip Check Web Services", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "IP Addresses"}, {"mitre_attack_technique": "Gather Victim Network Information"}]}}, {"name": "Windows High File Deletion Frequency", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Windows Ingress Tool Transfer Using Explorer", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Windows System LogOff Commandline", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}}, {"name": "Windows System Reboot CommandLine", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}}, {"name": "Windows System Shutdown CommandLine", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}}, {"name": "Windows System Time Discovery W32tm Delay", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Time Discovery"}]}}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Winword Spawning Cmd", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Winword Spawning PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}]}, {"name": "DarkGate Malware", "author": "Michael Haag, Splunk", "date": "2023-10-31", "version": 1, "id": "a4727b27-9e68-48f0-94a2-253cfb30c15d", "description": "Telekom Security CTI has uncovered a new phishing-driven malware campaign distributing DarkGate malware. This campaign utilizes stolen email threads to trick users into downloading malicious payloads via hyperlinks. An initial false link to Emotet stirred the security community, but deeper analysis confirmed its true identity as DarkGate, with characteristics like AutoIt scripts and a known command-and-control protocol. This report by Fabian Marquardt details the intricate infection mechanisms, including MSI and VBS file deliveries, sophisticated evasion techniques, and a robust configuration extraction method surpassing current standards. The single developer behind DarkGate, active on cybercrime forums, has shifted the malware's use from private to a rent-out model, implying an expected rise in its deployment. Researchers have also developed a decryption technique for the DarkGate malware, which aids in static analysis and detection, though it requires careful validation to avoid false positives.", "narrative": "Telekom Security CTi has recently put a spotlight on the proliferation of DarkGate malware via a sophisticated malspam campaign, initially mistaken for the notorious Emotet malware. The campaign smartly manipulates stolen email conversations, embedding hyperlinks that, once clicked, activate a malware download. Fabian Marquardt's analysis traces the infection's footprint, revealing a dual delivery mechanism through MSI and VBS files. These files, cloaked in legitimate wrappers or obscured with junk code, ultimately download the malware via embedded scripts. \\\nMarquardt delves into the AutoIt script-based infection, uncovering the calculated use of compiled scripts and base64-encoded data to disguise the execution of malicious shellcode. The subsequent stages of infection exhibit the malware's capability to evade detection, leveraging memory allocation techniques to bypass security measures. Marquardt also explores the loader's function, which decrypts further malicious payloads by interacting with the script's encoded components. \\\nThe analytical narrative captures a cross-section of the cybersecurity landscape, reflecting the shift in DarkGate's operational strategy from exclusive use by the developer to a broader dissemination through a Malware-as-a-Service (MaaS) model. This transition suggests an anticipated escalation in DarkGate-related attacks. \\\nSignificantly, the report contributes to cybersecurity defenses by outlining a more effective method for extracting malware configurations, providing the community with the means to anticipate and mitigate the evolving threats posed by this pernicious malware. With the insights gained, researchers and security professionals are better equipped to adapt their strategies, constructing more robust defenses against the sophisticated tactics employed by DarkGate and similar malware strains.", "references": ["https://github.security.telekom.com/2023/08/darkgate-loader.html", "https://redcanary.com/blog/intelligence-insights-october-2023"], "tags": {"name": "DarkGate Malware", "analytic_story": "DarkGate Malware", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MoustachedBouncer", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}, {"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "Dragonfly", "FIN13", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT", "Wizard Spider"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1070.005", "mitre_attack_technique": "Network Share Connection Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Threat Group-3390"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1531", "mitre_attack_technique": "Account Access Removal", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.009", "mitre_attack_technique": "Regsvcs/Regasm", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021.006", "mitre_attack_technique": "Windows Remote Management", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Chimera", "FIN13", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1134.002", "mitre_attack_technique": "Create Process with Token", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Lazarus Group", "Turla"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN13", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "Volt Typhoon", "ZIRCONIUM"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1218.007", "mitre_attack_technique": "Msiexec", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Machete", "Molerats", "Rancor", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}], "mitre_attack_tactics": ["Collection", "Credential Access", "Defense Evasion", "Discovery", "Execution", "Impact", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Authentication", "Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Create local admin accounts using net exe - Rule", "ESCU - Create or delete windows shares using net exe - Rule", "ESCU - Delete ShadowCopy With PowerShell - Rule", "ESCU - Deleting Of Net Users - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Regasm Spawning a Process - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Execution of File with Multiple Extensions - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - Powershell Remote Services Add TrustedHost - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - Windows Access Token Manipulation SeDebugPrivilege - Rule", "ESCU - Windows Archive Collected Data via Rar - Rule", "ESCU - Windows AutoIt3 Execution - Rule", "ESCU - Windows CAB File on Disk - Rule", "ESCU - Windows Credentials from Password Stores Chrome Extension Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows Credentials from Password Stores Creation - Rule", "ESCU - Windows Credentials from Password Stores Deletion - Rule", "ESCU - Windows Credentials from Password Stores Query - Rule", "ESCU - Windows Indicator Removal Via Rmdir - Rule", "ESCU - Windows Modify Registry AuthenticationLevelOverride - Rule", "ESCU - Windows Modify Registry DisableRemoteDesktopAntiAlias - Rule", "ESCU - Windows Modify Registry DisableSecuritySettings - Rule", "ESCU - Windows Modify Registry DontShowUI - Rule", "ESCU - Windows Modify Registry ProxyEnable - Rule", "ESCU - Windows Modify Registry ProxyServer - Rule", "ESCU - Windows MSIExec Spawn WinDBG - Rule", "ESCU - Windows System Reboot CommandLine - Rule", "ESCU - Windows System Shutdown CommandLine - Rule", "ESCU - Windows WinDBG Spawning AutoIt3 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}}, {"name": "Create local admin accounts using net exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "Create or delete windows shares using net exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Network Share Connection Removal"}]}}, {"name": "Delete ShadowCopy With PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Deleting Of Net Users", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Access Removal"}]}}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Detect Regasm Spawning a Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Execution of File with Multiple Extensions", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Remote Services Add TrustedHost", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Remote Management"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Windows Access Token Manipulation SeDebugPrivilege", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create Process with Token"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}, {"name": "Windows Archive Collected Data via Rar", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}}, {"name": "Windows AutoIt3 Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows CAB File on Disk", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Windows Credentials from Password Stores Chrome Extension Access", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows Credentials from Password Stores Creation", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}]}}, {"name": "Windows Credentials from Password Stores Deletion", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}]}}, {"name": "Windows Credentials from Password Stores Query", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}]}}, {"name": "Windows Indicator Removal Via Rmdir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Windows Modify Registry AuthenticationLevelOverride", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry DisableRemoteDesktopAntiAlias", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry DisableSecuritySettings", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry DontShowUI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry ProxyEnable", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry ProxyServer", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows MSIExec Spawn WinDBG", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Msiexec"}]}}, {"name": "Windows System Reboot CommandLine", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}}, {"name": "Windows System Shutdown CommandLine", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}}, {"name": "Windows WinDBG Spawning AutoIt3", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}]}, {"name": "Data Destruction", "author": "Teoderick Contreras, Splunk", "date": "2023-04-06", "version": 1, "id": "4ae5c0d1-cebd-47d1-bfce-71bf096e38aa", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the data destruction, including deleting files, overwriting files, wiping disk and unrecoverable file encryption. This analytic story may cover several known activities related to malware implants used in geo-political war to wipe disks or files to interrupt the network-wide operation of a targeted organization. Analytics can detect the behavior of \"DoubleZero Destructor\", \"CaddyWiper\", \"AcidRain\", \"AwfulShred\", \"Hermetic Wiper\", \"Swift Slicer\", \"Whisper Gate\" and many more.", "narrative": "Adversaries may partially or completely overwrite the contents of a storage device rendering the data irrecoverable through the storage interface or using 3rd party drivers to directly access disk content like Master Boot Record to wipe it. Some of these attacks were seen in geo-political war to impair the operation of targeted organizations or to interrupt network-wide services.", "references": ["https://attack.mitre.org/techniques/T1485/", "https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/", "https://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware", "https://www.splunk.com/en_us/blog/security/threat-advisory-strt-ta02-destructive-software.html", "https://www.splunk.com/en_us/blog/security/detecting-hermeticwiper.html", "https://www.splunk.com/en_us/blog/security/threat-update-doublezero-destructor.html", "https://www.splunk.com/en_us/blog/security/threat-update-caddywiper.html", "https://www.splunk.com/en_us/blog/security/strt-ta03-cpe-destructive-software.html", "https://www.splunk.com/en_us/blog/security/threat-update-cyclopsblink.html", "https://www.splunk.com/en_us/blog/security/threat-update-acidrain-wiper.html", "https://www.splunk.com/en_us/blog/security/threat-update-industroyer2.html", "https://www.splunk.com/en_us/blog/security/threat-advisory-swiftslicer-wiper-strt-ta03.html"], "tags": {"name": "Data Destruction", "analytic_story": "Data Destruction", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1547.014", "mitre_attack_technique": "Active Setup", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1562.006", "mitre_attack_technique": "Indicator Blocking", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1053.003", "mitre_attack_technique": "Cron", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT38", "Rocke"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TEMP.Veles", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1200", "mitre_attack_technique": "Hardware Additions", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["DarkVishnya"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1053.006", "mitre_attack_technique": "Systemd Timers", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1059.004", "mitre_attack_technique": "Unix Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT41", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1037", "mitre_attack_technique": "Boot or Logon Initialization Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "Rocke"]}, {"mitre_attack_id": "T1037.001", "mitre_attack_technique": "Logon Script (Windows)", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "Cobalt Group"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1546.008", "mitre_attack_technique": "Accessibility Features", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT3", "APT41", "Axiom", "Deep Panda", "Fox Kitten"]}, {"mitre_attack_id": "T1497", "mitre_attack_technique": "Virtualization/Sandbox Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": ["Darkhotel"]}, {"mitre_attack_id": "T1497.003", "mitre_attack_technique": "Time Based Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1021.006", "mitre_attack_technique": "Windows Remote Management", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Chimera", "FIN13", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1218.014", "mitre_attack_technique": "MMC", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1027.005", "mitre_attack_technique": "Indicator Removal from Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT3", "Deep Panda", "GALLIUM", "OilRig", "Patchwork", "TEMP.Veles", "Turla"]}, {"mitre_attack_id": "T1546.015", "mitre_attack_technique": "Component Object Model Hijacking", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1547.012", "mitre_attack_technique": "Print Processors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1546.012", "mitre_attack_technique": "Image File Execution Options Injection", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["TEMP.Veles"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1134.001", "mitre_attack_technique": "Token Impersonation/Theft", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "FIN8"]}, {"mitre_attack_id": "T1546.002", "mitre_attack_technique": "Screensaver", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1059.005", "mitre_attack_technique": "Visual Basic", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT33", "APT37", "APT38", "APT39", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Earth Lusca", "FIN13", "FIN4", "FIN7", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "Transparent Tribe", "Turla", "WIRTE", "Windshift"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1547.003", "mitre_attack_technique": "Time Providers", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}, {"mitre_attack_id": "T1588.002", "mitre_attack_technique": "Tool", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT19", "APT28", "APT29", "APT32", "APT33", "APT38", "APT39", "APT41", "Aoqin Dragon", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Carbanak", "Chimera", "Cleaver", "Cobalt Group", "CopyKittens", "DarkHydrus", "DarkVishnya", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN5", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "GALLIUM", "Gorgon Group", "HEXANE", "Inception", "IndigoZebra", "Ke3chang", "Kimsuky", "LAPSUS$", "Lazarus Group", "Leafminer", "LuminousMoth", "Magic Hound", "Metador", "Moses Staff", "MuddyWater", "POLONIUM", "Patchwork", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "TA2541", "TA505", "TEMP.Veles", "Threat Group-3390", "Thrip", "Turla", "Volt Typhoon", "WIRTE", "Whitefly", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1561.002", "mitre_attack_technique": "Disk Structure Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1561", "mitre_attack_technique": "Disk Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1134.004", "mitre_attack_technique": "Parent PID Spoofing", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Defense Evasion", "Discovery", "Execution", "Impact", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation", "Reconnaissance", "Resource Development"], "datamodels": ["Email", "Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery", "Exploitation", "Installation", "Reconnaissance", "Weaponization"]}, "detection_names": ["ESCU - Email Attachments With Lots Of Spaces - Rule", "ESCU - Suspicious Email Attachment Extensions - Rule", "ESCU - Active Setup Registry Autostart - Rule", "ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - AdsiSearcher Account Discovery - Rule", "ESCU - Any Powershell DownloadFile - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - Change Default File Association - Rule", "ESCU - Child Processes of Spoolsv exe - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Detect Empire with PowerShell Script Block Logging - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Excessive File Deletion In WinDefender Folder - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Kerberoasting spn request with RC4 encryption - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux Data Destruction Command - Rule", "ESCU - Linux DD File Overwrite - Rule", "ESCU - Linux Deleting Critical Directory Using RM Command - Rule", "ESCU - Linux Deletion Of Cron Jobs - Rule", "ESCU - Linux Deletion Of Init Daemon Script - Rule", "ESCU - Linux Deletion Of Services - Rule", "ESCU - Linux Disable Services - Rule", "ESCU - Linux Hardware Addition SwapOff - Rule", "ESCU - Linux High Frequency Of File Deletion In Boot Folder - Rule", "ESCU - Linux High Frequency Of File Deletion In Etc Folder - Rule", "ESCU - Linux Impair Defenses Process Kill - Rule", "ESCU - Linux Indicator Removal Clear Cache - Rule", "ESCU - Linux Indicator Removal Service File Deletion - Rule", "ESCU - Linux Java Spawning Shell - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Shred Overwrite Command - Rule", "ESCU - Linux Stdout Redirection To Dev Null File - Rule", "ESCU - Linux Stop Services - Rule", "ESCU - Linux System Network Discovery - Rule", "ESCU - Linux System Reboot Via System Request Key - Rule", "ESCU - Linux Unix Shell Enable All SysRq Functions - Rule", "ESCU - Logon Script Event Trigger Execution - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Malicious PowerShell Process With Obfuscation Techniques - Rule", "ESCU - MSI Module Loaded by Non-System Binary - Rule", "ESCU - Overwriting Accessibility Binaries - Rule", "ESCU - Ping Sleep Batch Command - Rule", "ESCU - Possible Lateral Movement PowerShell Spawn - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - PowerShell Domain Enumeration - Rule", "ESCU - Powershell Enable SMB1Protocol Feature - Rule", "ESCU - Powershell Execute COM Object - Rule", "ESCU - Powershell Fileless Process Injection via GetProcAddress - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Powershell Processing Stream Of Data - Rule", "ESCU - Powershell Remove Windows Defender Directory - Rule", "ESCU - Powershell Using memory As Backing Store - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Print Processor Registry Autostart - Rule", "ESCU - Process Deleting Its Process File Path - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Runas Execution in CommandLine - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Screensaver Event Trigger Execution - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - Suspicious Process DNS Query Known Abuse Web Services - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Process With Discord DNS Query - Rule", "ESCU - Time Provider Persistence Registry - Rule", "ESCU - Unloading AMSI via Reflection - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows Data Destruction Recursive Exec Files Deletion - Rule", "ESCU - Windows Deleted Registry By A Non Critical Process File Path - Rule", "ESCU - Windows Disable Memory Crash Dump - Rule", "ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows File Without Extension In Critical Folder - Rule", "ESCU - Windows Hidden Schedule Task Settings - Rule", "ESCU - Windows High File Deletion Frequency - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows Linked Policies In ADSI Discovery - Rule", "ESCU - Windows Modify Show Compress Color And Info Tip Registry - Rule", "ESCU - Windows NirSoft AdvancedRun - Rule", "ESCU - Windows NirSoft Utilities - Rule", "ESCU - Windows Processes Killed By Industroyer2 Malware - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Windows Root Domain linked policies Discovery - Rule", "ESCU - Windows Terminating Lsass Process - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule", "ESCU - WMI Recon Running Process Or Services - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Email Attachments With Lots Of Spaces", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Suspicious Email Attachment Extensions", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Active Setup Registry Autostart", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Active Setup"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Add or Set Windows Defender Exclusion", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "AdsiSearcher Account Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Attempt To Stop Security Service", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Attempted Credential Dump From Registry via Reg exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Change Default File Association", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Change Default File Association"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Child Processes of Spoolsv exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Detect Empire with PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "ETW Registry Disabled", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Blocking"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Excessive File Deletion In WinDefender Folder", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Kerberoasting spn request with RC4 encryption", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Data Destruction Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Linux DD File Overwrite", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Linux Deleting Critical Directory Using RM Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Linux Deletion Of Cron Jobs", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Linux Deletion Of Init Daemon Script", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Linux Deletion Of Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Linux Disable Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Linux Hardware Addition SwapOff", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hardware Additions"}]}}, {"name": "Linux High Frequency Of File Deletion In Boot Folder", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Linux High Frequency Of File Deletion In Etc Folder", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Linux Impair Defenses Process Kill", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Linux Indicator Removal Clear Cache", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Linux Indicator Removal Service File Deletion", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Linux Java Spawning Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Shred Overwrite Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Linux Stdout Redirection To Dev Null File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Linux Stop Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Linux System Network Discovery", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Configuration Discovery"}]}}, {"name": "Linux System Reboot Via System Request Key", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}}, {"name": "Linux Unix Shell Enable All SysRq Functions", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unix Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Logon Script Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Boot or Logon Initialization Scripts"}, {"mitre_attack_technique": "Logon Script (Windows)"}]}}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}}, {"name": "Malicious PowerShell Process With Obfuscation Techniques", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "MSI Module Loaded by Non-System Binary", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Overwriting Accessibility Binaries", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Accessibility Features"}]}}, {"name": "Ping Sleep Batch Command", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Virtualization/Sandbox Evasion"}, {"mitre_attack_technique": "Time Based Evasion"}]}}, {"name": "Possible Lateral Movement PowerShell Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Remote Management"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "MMC"}]}}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "PowerShell Domain Enumeration", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Enable SMB1Protocol Feature", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "Indicator Removal from Tools"}]}}, {"name": "Powershell Execute COM Object", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Component Object Model Hijacking"}, {"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Fileless Process Injection via GetProcAddress", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Processing Stream Of Data", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Remove Windows Defender Directory", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Powershell Using memory As Backing Store", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Print Processor Registry Autostart", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Process Deleting Its Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}]}}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Registry Keys Used For Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Image File Execution Options Injection"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Runas Execution in CommandLine", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Access Token Manipulation"}, {"mitre_attack_technique": "Token Impersonation/Theft"}]}}, {"name": "Schtasks Run Task On Demand", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Screensaver Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Screensaver"}]}}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Suspicious Process DNS Query Known Abuse Web Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious Process With Discord DNS Query", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Time Provider Persistence Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Time Providers"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Unloading AMSI via Reflection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}, {"name": "Windows Data Destruction Recursive Exec Files Deletion", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Windows Deleted Registry By A Non Critical Process File Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Disable Memory Crash Dump", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Windows DotNet Binary in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}}, {"name": "Windows File Without Extension In Critical Folder", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Windows Hidden Schedule Task Settings", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Windows High File Deletion Frequency", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}}, {"name": "Windows Linked Policies In ADSI Discovery", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Windows Modify Show Compress Color And Info Tip Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows NirSoft AdvancedRun", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Tool"}]}}, {"name": "Windows NirSoft Utilities", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Tool"}]}}, {"name": "Windows Processes Killed By Industroyer2 Malware", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}}, {"name": "Windows Root Domain linked policies Discovery", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Windows Terminating Lsass Process", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "WMI Recon Running Process Or Services", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}]}}, {"name": "Wscript Or Cscript Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Parent PID Spoofing"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}]}, {"name": "Data Exfiltration", "author": "Bhavin Patel, Shannon Davis, Splunk", "date": "2023-05-17", "version": 2, "id": "66b0fe0c-1351-11eb-adc1-0242ac120002", "description": "Data exfiltration refers to the unauthorized transfer or extraction of sensitive or valuable data from a compromised system or network during a cyber attack. It is a critical phase in many targeted attacks, where adversaries aim to steal confidential information, such as intellectual property, financial records, personal data, or trade secrets.", "narrative": "This Analytic Story supports you to detect Tactics, Techniques and Procedures (TTPs) leveraged by adversaries to exfiltrate data from your environments. Exfiltration comes in many flavors and its done differently on every environment. Adversaries can collect data over encrypted or non-encrypted channels.  They can utilise Command And Control channels that are already in place to exfiltrate data.  They can use both standard data transfer protocols such as FTP, SCP, etc to exfiltrate data.  Or they can use non-standard protocols such as DNS, ICMP, etc with specially crafted fields to try and circumvent security technologies in place.\\\nTechniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission. In context of the cloud, this refers to the unauthorized transfer or extraction of sensitive data from cloud-based systems or services. It involves the compromise of cloud infrastructure or accounts to gain access to valuable information stored in the cloud environment. Attackers may employ various techniques, such as exploiting vulnerabilities, stealing login credentials, or using malicious code to exfiltrate data from cloud repositories or services without detection.", "references": ["https://attack.mitre.org/tactics/TA0010/", "https://bleemb.medium.com/data-exfiltration-with-native-aws-s3-features-c94ae4d13436", "https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-277a"], "tags": {"name": "Data Exfiltration", "analytic_story": "Data Exfiltration", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1537", "mitre_attack_technique": "Transfer Data to Cloud Account", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1119", "mitre_attack_technique": "Automated Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "Chimera", "Confucius", "FIN5", "FIN6", "Gamaredon Group", "Ke3chang", "Mustang Panda", "OilRig", "Patchwork", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}, {"mitre_attack_id": "T1114.003", "mitre_attack_technique": "Email Forwarding Rule", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Kimsuky", "LAPSUS$", "Silent Librarian"]}, {"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1114.001", "mitre_attack_technique": "Local Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "Chimera", "Magic Hound"]}, {"mitre_attack_id": "T1568.002", "mitre_attack_technique": "Domain Generation Algorithms", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "TA551"]}, {"mitre_attack_id": "T1041", "mitre_attack_technique": "Exfiltration Over C2 Channel", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Chimera", "Confucius", "GALLIUM", "Gamaredon Group", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "LuminousMoth", "MuddyWater", "Sandworm Team", "Stealth Falcon", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}], "mitre_attack_tactics": ["Collection", "Command And Control", "Credential Access", "Exfiltration", "Impact", "Initial Access"], "datamodels": ["Endpoint", "Network_Resolution", "Risk"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery", "Exploitation"]}, "detection_names": ["ESCU - AWS AMI Atttribute Modification for Exfiltration - Rule", "ESCU - AWS Disable Bucket Versioning - Rule", "ESCU - AWS EC2 Snapshot Shared Externally - Rule", "ESCU - AWS Exfiltration via Anomalous GetObject API Activity - Rule", "ESCU - AWS Exfiltration via Batch Service - Rule", "ESCU - AWS Exfiltration via Bucket Replication - Rule", "ESCU - AWS Exfiltration via DataSync Task - Rule", "ESCU - AWS Exfiltration via EC2 Snapshot - Rule", "ESCU - AWS S3 Exfiltration Behavior Identified - Rule", "ESCU - Gdrive suspicious file sharing - Rule", "ESCU - O365 PST export alert - Rule", "ESCU - O365 Suspicious Admin Email Forwarding - Rule", "ESCU - O365 Suspicious User Email Forwarding - Rule", "ESCU - Detect Certipy File Modifications - Rule", "ESCU - DNS Exfiltration Using Nslookup App - Rule", "ESCU - Excessive Usage of NSLOOKUP App - Rule", "ESCU - Linux Curl Upload File - Rule", "ESCU - Mailsniper Invoke functions - Rule", "ESCU - Detect DGA domains using pretrained model in DSDL - Rule", "ESCU - Detect SNICat SNI Exfiltration - Rule", "ESCU - Multiple Archive Files Http Post Traffic - Rule", "ESCU - Plain HTTP POST Exfiltrated Data - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": [], "author_company": "Shannon Davis, Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "AWS AMI Atttribute Modification for Exfiltration", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}}, {"name": "AWS Disable Bucket Versioning", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "AWS EC2 Snapshot Shared Externally", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}}, {"name": "AWS Exfiltration via Anomalous GetObject API Activity", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Automated Collection"}]}}, {"name": "AWS Exfiltration via Batch Service", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Automated Collection"}]}}, {"name": "AWS Exfiltration via Bucket Replication", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}}, {"name": "AWS Exfiltration via DataSync Task", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Automated Collection"}]}}, {"name": "AWS Exfiltration via EC2 Snapshot", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}}, {"name": "AWS S3 Exfiltration Behavior Identified", "source": "cloud", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}}, {"name": "Gdrive suspicious file sharing", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}]}}, {"name": "O365 PST export alert", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Email Collection"}]}}, {"name": "O365 Suspicious Admin Email Forwarding", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Email Forwarding Rule"}, {"mitre_attack_technique": "Email Collection"}]}}, {"name": "O365 Suspicious User Email Forwarding", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Email Forwarding Rule"}, {"mitre_attack_technique": "Email Collection"}]}}, {"name": "Detect Certipy File Modifications", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}, {"mitre_attack_technique": "Archive Collected Data"}]}}, {"name": "DNS Exfiltration Using Nslookup App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Excessive Usage of NSLOOKUP App", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Linux Curl Upload File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Mailsniper Invoke functions", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Email Collection"}, {"mitre_attack_technique": "Local Email Collection"}]}}, {"name": "Detect DGA domains using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Generation Algorithms"}]}}, {"name": "Detect SNICat SNI Exfiltration", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over C2 Channel"}]}}, {"name": "Multiple Archive Files Http Post Traffic", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Plain HTTP POST Exfiltrated Data", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}]}, {"name": "Data Protection", "author": "Bhavin Patel, Splunk", "date": "2017-09-14", "version": 1, "id": "91c676cf-0b23-438d-abee-f6335e1fce33", "description": "Fortify your data-protection arsenal--while continuing to ensure data confidentiality and integrity--with searches that monitor for and help you investigate possible signs of data exfiltration.", "narrative": "Attackers can leverage a variety of resources to compromise or exfiltrate enterprise data. Common exfiltration techniques include remote-access channels via low-risk, high-payoff active-collections operations and close-access operations using insiders and removable media. While this Analytic Story is not a comprehensive listing of all the methods by which attackers can exfiltrate data, it provides a useful starting point.", "references": ["https://www.cisecurity.org/controls/data-protection/", "https://www.sans.org/reading-room/whitepapers/dns/splunk-detect-dns-tunneling-37022", "https://umbrella.cisco.com/blog/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/"], "tags": {"name": "Data Protection", "analytic_story": "Data Protection", "category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}], "mitre_attack_tactics": ["Exfiltration", "Initial Access"], "datamodels": ["Change", "Change_Analysis", "Network_Resolution"], "kill_chain_phases": ["Actions on Objectives", "Delivery"]}, "detection_names": ["ESCU - Detect USB device insertion - Rule", "ESCU - Detection of DNS Tunnels - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule"], "investigation_names": ["ESCU - Get DNS Server History for a host - Response Task", "ESCU - Get DNS traffic ratio - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Process Responsible For The DNS Traffic - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect USB device insertion", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "Detection of DNS Tunnels", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}}, {"name": "Detect hosts connecting to dynamic domain providers", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}]}, {"name": "Deobfuscate-Decode Files or Information", "author": "Michael Haag, Splunk", "date": "2021-03-24", "version": 1, "id": "0bd01a54-8cbe-11eb-abcd-acde48001122", "description": "Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis.", "narrative": "An example of obfuscated files is `Certutil.exe` usage to encode a portable executable to a certificate file, which is base64 encoded, to hide the originating file. There are many utilities cross-platform to encode using XOR, using compressed .cab files to hide contents and scripting languages that may perform similar native Windows tasks. Triaging an event related will require the capability to review related process events and file modifications. Using a tool such as CyberChef will assist with identifying the encoding that was used, and potentially assist with decoding the contents.", "references": ["https://attack.mitre.org/techniques/T1140/"], "tags": {"name": "Deobfuscate-Decode Files or Information", "analytic_story": "Deobfuscate-Decode Files or Information", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1140", "mitre_attack_technique": "Deobfuscate/Decode Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT39", "BRONZE BUTLER", "Darkhotel", "Earth Lusca", "FIN13", "Gamaredon Group", "Gorgon Group", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Molerats", "MuddyWater", "OilRig", "Rocke", "Sandworm Team", "TA505", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "WIRTE", "ZIRCONIUM", "menuPass"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - CertUtil With Decode Argument - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "CertUtil With Decode Argument", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Deobfuscate/Decode Files or Information"}]}}]}, {"name": "AWS Cryptomining", "author": "David Dorsey, Splunk", "date": "2018-03-08", "version": 1, "id": "ced74200-8465-4bc3-bd2c-9a782eec6750", "description": "Monitor your AWS EC2 instances for activities related to cryptojacking/cryptomining. New instances that originate from previously unseen regions, users who launch abnormally high numbers of instances, or EC2 instances started by previously unseen users are just a few examples of potentially malicious behavior.", "narrative": "Cryptomining is an intentionally difficult, resource-intensive business. Its complexity was designed into the process to ensure that the number of blocks mined each day would remain steady. So, it's par for the course that ambitious, but unscrupulous, miners make amassing the computing power of large enterprises--a practice known as cryptojacking--a top priority. \\\nCryptojacking has attracted an increasing amount of media attention since its explosion in popularity in the fall of 2017. The attacks have moved from in-browser exploits and mobile phones to enterprise cloud services, such as Amazon Web Services (AWS). It's difficult to determine exactly how widespread the practice has become, since bad actors continually evolve their ability to escape detection, including employing unlisted endpoints, moderating their CPU usage, and hiding the mining pool's IP address behind a free CDN. \\\nWhen malicious miners appropriate a cloud instance, often spinning up hundreds of new instances, the costs can become astronomical for the account holder. So, it is critically important to monitor your systems for suspicious activities that could indicate that your network has been infiltrated. \\\nThis Analytic Story is focused on detecting suspicious new instances in your EC2 environment to help prevent such a disaster. It contains detection searches that will detect when a previously unused instance type or AMI is used. It also contains support searches to build lookup files to ensure proper execution of the detection searches.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "tags": {"name": "AWS Cryptomining", "analytic_story": "AWS Cryptomining", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": [], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Abnormally High AWS Instances Launched by User - Rule", "ESCU - Abnormally High AWS Instances Launched by User - MLTK - Rule", "ESCU - EC2 Instance Started In Previously Unseen Region - Rule", "ESCU - EC2 Instance Started With Previously Unseen AMI - Rule", "ESCU - EC2 Instance Started With Previously Unseen Instance Type - Rule", "ESCU - EC2 Instance Started With Previously Unseen User - Rule"], "investigation_names": ["ESCU - AWS Investigate User Activities By ARN - Response Task", "ESCU - Get EC2 Instance Details by instanceId - Response Task", "ESCU - Get EC2 Launch Details - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Investigate AWS activities via region name - Response Task"], "baseline_names": ["ESCU - Baseline of Excessive AWS Instances Launched by User - MLTK", "ESCU - Previously Seen EC2 AMIs", "ESCU - Previously Seen EC2 Instance Types", "ESCU - Previously Seen EC2 Launches By User", "ESCU - Previously Seen AWS Regions"], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Abnormally High AWS Instances Launched by User", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}]}}, {"name": "Abnormally High AWS Instances Launched by User - MLTK", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}]}}, {"name": "EC2 Instance Started In Previously Unseen Region", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "EC2 Instance Started With Previously Unseen AMI", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "EC2 Instance Started With Previously Unseen Instance Type", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "EC2 Instance Started With Previously Unseen User", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}]}}]}, {"name": "AWS Suspicious Provisioning Activities", "author": "David Dorsey, Splunk", "date": "2018-03-16", "version": 1, "id": "3338b567-3804-4261-9889-cf0ca4753c7f", "description": "Monitor your AWS provisioning activities for behaviors originating from unfamiliar or unusual locations. These behaviors may indicate that malicious activities are occurring somewhere within your network.", "narrative": "Because most enterprise AWS activities originate from familiar geographic locations, monitoring for activity from unknown or unusual regions is an important security measure. This indicator can be especially useful in environments where it is impossible to add specific IPs to an allow list because they vary. \\\nThis Analytic Story was designed to provide you with flexibility in the precision you employ in specifying legitimate geographic regions. It can be as specific as an IP address or a city, or as broad as a region (think state) or an entire country. By determining how precise you want your geographical locations to be and monitoring for new locations that haven't previously accessed your environment, you can detect adversaries as they begin to probe your environment. Since there are legitimate reasons for activities from unfamiliar locations, this is not a standalone indicator. Nevertheless, location can be a relevant piece of information that you may wish to investigate further.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "tags": {"name": "AWS Suspicious Provisioning Activities", "analytic_story": "AWS Suspicious Provisioning Activities", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": [], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - AWS Cloud Provisioning From Previously Unseen City - Rule", "ESCU - AWS Cloud Provisioning From Previously Unseen Country - Rule", "ESCU - AWS Cloud Provisioning From Previously Unseen IP Address - Rule", "ESCU - AWS Cloud Provisioning From Previously Unseen Region - Rule"], "investigation_names": ["ESCU - AWS Investigate Security Hub alerts by dest - Response Task", "ESCU - AWS Investigate User Activities By ARN - Response Task", "ESCU - Get All AWS Activity From City - Response Task", "ESCU - Get All AWS Activity From Country - Response Task", "ESCU - Get All AWS Activity From IP Address - Response Task", "ESCU - Get All AWS Activity From Region - Response Task"], "baseline_names": ["ESCU - Previously Seen AWS Provisioning Activity Sources"], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "AWS Cloud Provisioning From Previously Unseen City", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "AWS Cloud Provisioning From Previously Unseen Country", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "AWS Cloud Provisioning From Previously Unseen IP Address", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "AWS Cloud Provisioning From Previously Unseen Region", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}]}, {"name": "Common Phishing Frameworks", "author": "Splunk Research Team, Splunk", "date": "2019-04-29", "version": 1, "id": "9a64ab44-9214-4639-8163-7eaa2621bd61", "description": "Detect DNS and web requests to fake websites generated by the EvilGinx2 toolkit. These websites are designed to fool unwitting users who have clicked on a malicious link in a phishing email. ", "narrative": "As most people know, these emails use fraudulent domains, [email scraping](https://www.cyberscoop.com/emotet-trojan-phishing-scraping-templates-cofense-geodo/), familiar contact names inserted as senders, and other tactics to lure targets into clicking a malicious link, opening an attachment with a [nefarious payload](https://www.cyberscoop.com/emotet-trojan-phishing-scraping-templates-cofense-geodo/), or entering sensitive personal information that perpetrators may intercept. This attack technique requires a relatively low level of skill and allows adversaries to easily cast a wide net. Because phishing is a technique that relies on human psychology, you will never be able to eliminate this vulnerability 100%. But you can use automated detection to significantly reduce the risks.\\\nThis Analytic Story focuses on detecting signs of MiTM attacks enabled by [EvilGinx2](https://github.com/kgretzky/evilginx2), a toolkit that sets up a transparent proxy between the targeted site and the user. In this way, the attacker is able to intercept credentials and two-factor identification tokens. It employs a proxy template to allow a registered domain to impersonate targeted sites, such as Linkedin, Amazon, Okta, Github, Twitter, Instagram, Reddit, Office 365, and others. It can even register SSL certificates and camouflage them via a URL shortener, making them difficult to detect. Searches in this story look for signs of MiTM attacks enabled by EvilGinx2.", "references": ["https://github.com/kgretzky/evilginx2", "https://attack.mitre.org/techniques/T1192/", "https://breakdev.org/evilginx-advanced-phishing-with-two-factor-authentication-bypass/"], "tags": {"name": "Common Phishing Frameworks", "analytic_story": "Common Phishing Frameworks", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.003", "mitre_attack_technique": "Spearphishing via Service", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT29", "Ajax Security Team", "CURIUM", "Dark Caracal", "EXOTIC LILY", "FIN6", "Lazarus Group", "Magic Hound", "OilRig", "Windshift"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Network_Resolution", "Web"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - Detect DNS requests to Phishing Sites leveraging EvilGinx2 - Rule"], "investigation_names": ["ESCU - Get Certificate logs for a domain - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Splunk Research Team", "detections": [{"name": "Detect DNS requests to Phishing Sites leveraging EvilGinx2", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing via Service"}]}}]}, {"name": "Container Implantation Monitoring and Investigation", "author": "Rod Soto, Rico Valdez, Splunk", "date": "2020-02-20", "version": 1, "id": "aa0e28b1-0521-4b6f-9d2a-7b87e34af246", "description": "Use the searches in this story to monitor your Kubernetes registry repositories for upload, and deployment of potentially vulnerable, backdoor, or implanted containers. These searches provide information on source users, destination path, container names and repository names. The searches provide context to address Mitre T1525 which refers to container implantation upload to a company's repository either in Amazon Elastic Container Registry, Google Container Registry and Azure Container Registry.", "narrative": "Container Registrys provide a way for organizations to keep customized images of their development and infrastructure environment in private. However if these repositories are misconfigured or priviledge users credentials are compromise, attackers can potentially upload implanted containers which can be deployed across the organization. These searches allow operator to monitor who, when and what was uploaded to container registry.", "references": ["https://github.com/splunk/cloud-datamodel-security-research"], "tags": {"name": "Container Implantation Monitoring and Investigation", "analytic_story": "Container Implantation Monitoring and Investigation", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": [], "investigation_names": [], "baseline_names": [], "author_company": "Rico Valdez, Splunk", "author_name": "Rod Soto", "detections": []}, {"name": "Host Redirection", "author": "Rico Valdez, Splunk", "date": "2017-09-14", "version": 1, "id": "2e8948a5-5239-406b-b56b-6c50fe268af4", "description": "Detect evidence of tactics used to redirect traffic from a host to a destination other than the one intended--potentially one that is part of an adversary's attack infrastructure. An example is redirecting communications regarding patches and updates or misleading users into visiting a malicious website.", "narrative": "Attackers will often attempt to manipulate client communications for nefarious purposes. In some cases, an attacker may endeavor to modify a local host file to redirect communications with resources (such as antivirus or system-update services) to prevent clients from receiving patches or updates. In other cases, an attacker might use this tactic to have the client connect to a site that looks like the intended site, but instead installs malware or collects information from the victim. Additionally, an attacker may redirect a victim in order to execute a MITM attack and observe communications.", "references": ["https://blog.malwarebytes.com/cybercrime/2016/09/hosts-file-hijacks/"], "tags": {"name": "Host Redirection", "analytic_story": "Host Redirection", "category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1071.004", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT39", "APT41", "Chimera", "Cobalt Group", "FIN7", "Ke3chang", "LazyScripter", "OilRig", "Tropic Trooper"]}], "mitre_attack_tactics": ["Command And Control", "Exfiltration"], "datamodels": ["Endpoint", "Network_Resolution"], "kill_chain_phases": ["Actions on Objectives", "Command And Control"]}, "detection_names": ["ESCU - Clients Connecting to Multiple DNS Servers - Rule", "ESCU - DNS Query Requests Resolved by Unauthorized DNS Servers - Rule", "ESCU - Windows hosts file modification - Rule"], "investigation_names": ["ESCU - Get DNS Server History for a host - Response Task", "ESCU - Get Notable History - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Clients Connecting to Multiple DNS Servers", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}}, {"name": "DNS Query Requests Resolved by Unauthorized DNS Servers", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DNS"}]}}, {"name": "Windows hosts file modification", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "Kubernetes Sensitive Role Activity", "author": "Rod Soto, Splunk", "date": "2020-05-20", "version": 1, "id": "8b3984d2-17b6-47e9-ba43-a3376e70fdcc", "description": "This story addresses detection and response around Sensitive Role usage within a Kubernetes clusters against cluster resources and namespaces.", "narrative": "Kubernetes is the most used container orchestration platform, this orchestration platform contains sensitive roles within its architecture, specifically configmaps and secrets, if accessed by an attacker can lead to further compromise. These searches allow operator to detect suspicious requests against Kubernetes role activities", "references": ["https://www.splunk.com/en_us/blog/security/approaching-kubernetes-security-detecting-kubernetes-scan-with-splunk.html"], "tags": {"name": "Kubernetes Sensitive Role Activity", "analytic_story": "Kubernetes Sensitive Role Activity", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Kubernetes AWS detect most active service accounts by pod - Rule", "ESCU - Kubernetes AWS detect sensitive role access - Rule", "ESCU - Kubernetes Azure active service accounts by pod namespace - Rule", "ESCU - Kubernetes Azure detect RBAC authorization by account - Rule", "ESCU - Kubernetes Azure detect sensitive role access - Rule", "ESCU - Kubernetes GCP detect most active service accounts by pod - Rule", "ESCU - Kubernetes GCP detect RBAC authorizations by account - Rule", "ESCU - Kubernetes GCP detect sensitive role access - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rod Soto", "detections": [{"name": "Kubernetes AWS detect most active service accounts by pod", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes AWS detect sensitive role access", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes Azure active service accounts by pod namespace", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes Azure detect RBAC authorization by account", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes Azure detect sensitive role access", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes GCP detect most active service accounts by pod", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes GCP detect RBAC authorizations by account", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes GCP detect sensitive role access", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "Lateral Movement", "author": "David Dorsey, Splunk", "date": "2020-02-04", "version": 2, "id": "399d65dc-1f08-499b-a259-abd9051f38ad", "description": " DEPRECATED IN FAVOR OF ACTIVE DIRECTORY LATERAL MOVEMENT. Detect and investigate tactics, techniques, and procedures around how attackers move laterally within the enterprise. Because lateral movement can expose the adversary to detection, it should be an important focus for security analysts.", "narrative": "Once attackers gain a foothold within an enterprise, they will seek to expand their accesses and leverage techniques that facilitate lateral movement. Attackers will often spend quite a bit of time and effort moving laterally. Because lateral movement renders an attacker the most vulnerable to detection, it's an excellent focus for detection and investigation. Indications of lateral movement can include the abuse of system utilities (such as `psexec.exe`), unauthorized use of remote desktop services, `file/admin$` shares, WMI, PowerShell, pass-the-hash, or the abuse of scheduled tasks. Organizations must be extra vigilant in detecting lateral movement techniques and look for suspicious activity in and around high-value strategic network assets, such as Active Directory, which are often considered the primary target or \"crown jewels\" to a persistent threat actor. An adversary can use lateral movement for multiple purposes, including remote execution of tools, pivoting to additional systems, obtaining access to specific information or files, access to additional credentials, exfiltrating data, or delivering a secondary effect. Adversaries may use legitimate credentials alongside inherent network and operating-system functionality to remotely connect to other systems and remain under the radar of network defenders. If there is evidence of lateral movement, it is imperative for analysts to collect evidence of the associated offending hosts. For example, an attacker might leverage host A to gain access to host B. From there, the attacker may try to move laterally to host C. In this example, the analyst should gather as much information as possible from all three hosts. It is also important to collect authentication logs for each host, to ensure that the offending accounts are well-documented. Analysts should account for all processes to ensure that the attackers did not install unauthorized software.", "references": ["https://www.fireeye.com/blog/executive-perspective/2015/08/malware_lateral_move.html"], "tags": {"name": "Lateral Movement", "analytic_story": "Lateral Movement", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": [], "investigation_names": ["ESCU - Get History Of Email Sources - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Process Information For Port Activity - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": []}, {"name": "Monitor Backup Solution", "author": "David Dorsey, Splunk", "date": "2017-09-12", "version": 1, "id": "abe807c7-1eb6-4304-ac32-6e7aacdb891d", "description": "Address common concerns when monitoring your backup processes. These searches can help you reduce risks from ransomware, device theft, or denial of physical access to a host by backing up data on endpoints.", "narrative": "Having backups is a standard best practice that helps ensure continuity of business operations.  Having mature backup processes can also help you reduce the risks of many security-related incidents and streamline your response processes. The detection searches in this Analytic Story will help you identify systems that have backup failures, as well as systems that have not been backed up for an extended period of time. The story will also return the notable event history and all of the backup logs for an endpoint.", "references": ["https://www.carbonblack.com/2016/03/04/tracking-locky-ransomware-using-carbon-black/"], "tags": {"name": "Monitor Backup Solution", "analytic_story": "Monitor Backup Solution", "category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Compliance", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Extended Period Without Successful Netbackup Backups - Rule", "ESCU - Unsuccessful Netbackup backups - Rule"], "investigation_names": ["ESCU - All backup logs for host - Response Task", "ESCU - Get Notable History - Response Task"], "baseline_names": ["ESCU - Monitor Successful Backups", "ESCU - Monitor Unsuccessful Backups"], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Extended Period Without Successful Netbackup Backups", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Unsuccessful Netbackup backups", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "Monitor for Unauthorized Software", "author": "David Dorsey, Splunk", "date": "2017-09-15", "version": 1, "id": "8892a655-6205-43f7-abba-06460e38c8ae", "description": "Identify and investigate prohibited/unauthorized software or processes that may be concealing malicious behavior within your environment. ", "narrative": "It is critical to identify unauthorized software and processes running on enterprise endpoints and determine whether they are likely to be malicious. This Analytic Story requires the user to populate the Interesting Processes table within Enterprise Security with prohibited processes. An included support search will augment this data, adding information on processes thought to be malicious. This search requires data from endpoint detection-and-response solutions, endpoint data sources (such as Sysmon), or Windows Event Logs--assuming that the Active Directory administrator has enabled process tracking within the System Event Audit Logs.\\\nIt is important to investigate any software identified as suspicious, in order to understand how it was installed or executed. Analyzing authentication logs or any historic notable events might elicit additional investigative leads of interest. For best results, schedule the search to run every two weeks. ", "references": ["https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"], "tags": {"name": "Monitor for Unauthorized Software", "analytic_story": "Monitor for Unauthorized Software", "category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Compliance", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036.005", "mitre_attack_technique": "Match Legitimate Name or Location", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT32", "APT39", "APT41", "Aoqin Dragon", "BRONZE BUTLER", "BackdoorDiplomacy", "Blue Mockingbird", "Carbanak", "Chimera", "Darkhotel", "Earth Lusca", "FIN13", "FIN7", "Ferocious Kitten", "Fox Kitten", "Gamaredon Group", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Poseidon Group", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "Sowbug", "TA2541", "TEMP.Veles", "TeamTNT", "Transparent Tribe", "Tropic Trooper", "Volt Typhoon", "WIRTE", "Whitefly", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1595", "mitre_attack_technique": "Active Scanning", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Reconnaissance"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Reconnaissance"]}, "detection_names": ["ESCU - Prohibited Software On Endpoint - Rule", "ESCU - Attacker Tools On Endpoint - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": ["ESCU - Add Prohibited Processes to Enterprise Security"], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Prohibited Software On Endpoint", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Attacker Tools On Endpoint", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Match Legitimate Name or Location"}, {"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "Active Scanning"}]}}]}, {"name": "Office 365 Detections", "author": "Patrick Bareiss, Mauricio Velazco, Splunk", "date": "2020-12-16", "version": 2, "id": "1a51dd71-effc-48b2-abc4-3e9cdb61e5b9", "description": "Monitor for activities and anomalies indicative of potential threats within Office 365 environments.", "narrative": "Office 365 (O365) is Microsoft's cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. Given the centralized storage of sensitive organizational data within O365 and its widespread adoption, it has become a focal point for cybersecurity efforts. The platform's complexity, combined with its ubiquity, makes it both a valuable asset and a prime target for potential threats. As O365's importance grows, it increasingly becomes a target for attackers seeking to exploit organizational data and systems. Security teams should prioritize monitoring O365 not just because of the sensitive data it often holds, but also due to the myriad ways the platform can be exploited. Understanding and monitoring O365's security landscape is crucial for organizations to detect, respond to, and mitigate potential threats in a timely manner.", "references": ["https://i.blackhat.com/USA-20/Thursday/us-20-Bienstock-My-Cloud-Is-APTs-Cloud-Investigating-And-Defending-Office-365.pdf", "https://attack.mitre.org/matrices/enterprise/cloud/office365/", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-120a"], "tags": {"name": "Office 365 Detections", "analytic_story": "Office 365 Detections", "category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": [], "investigation_names": [], "baseline_names": [], "author_company": "Mauricio Velazco, Splunk", "author_name": "Patrick Bareiss", "detections": []}, {"name": "Spectre And Meltdown Vulnerabilities", "author": "David Dorsey, Splunk", "date": "2018-01-08", "version": 1, "id": "6d3306f6-bb2b-4219-8609-8efad64032f2", "description": "Assess and mitigate your systems' vulnerability to Spectre and Meltdown exploitation with the searches in this Analytic Story.", "narrative": "Meltdown and Spectre exploit critical vulnerabilities in modern CPUs that allow unintended access to data in memory. This Analytic Story will help you identify the systems can be patched for these vulnerabilities, as well as those that still need to be patched.", "references": ["https://meltdownattack.com/"], "tags": {"name": "Spectre And Meltdown Vulnerabilities", "analytic_story": "Spectre And Meltdown Vulnerabilities", "category": ["Vulnerability"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Vulnerabilities"], "kill_chain_phases": []}, "detection_names": ["ESCU - Spectre and Meltdown Vulnerable Systems - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": ["ESCU - Systems Ready for Spectre-Meltdown Windows Patch"], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Spectre and Meltdown Vulnerable Systems", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "Suspicious AWS EC2 Activities", "author": "Bhavin Patel, Splunk", "date": "2018-02-09", "version": 1, "id": "2e8948a5-5239-406b-b56b-6c50f1268af3", "description": "Use the searches in this Analytic Story to monitor your AWS EC2 instances for evidence of anomalous activity and suspicious behaviors, such as EC2 instances that originate from unusual locations or those launched by previously unseen users (among others). Included investigative searches will help you probe more deeply, when the information warrants it.", "narrative": "AWS CloudTrail is an AWS service that helps you enable governance, compliance, and risk auditing within your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. It is crucial for a company to monitor events and actions taken in the AWS Console, AWS command-line interface, and AWS SDKs and APIs to ensure that your EC2 instances are not vulnerable to attacks. This Analytic Story identifies suspicious activities in your AWS EC2 instances and helps you respond and investigate those activities.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "tags": {"name": "Suspicious AWS EC2 Activities", "analytic_story": "Suspicious AWS EC2 Activities", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": [], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Abnormally High AWS Instances Launched by User - Rule", "ESCU - Abnormally High AWS Instances Launched by User - MLTK - Rule", "ESCU - Abnormally High AWS Instances Terminated by User - Rule", "ESCU - Abnormally High AWS Instances Terminated by User - MLTK - Rule", "ESCU - EC2 Instance Started In Previously Unseen Region - Rule", "ESCU - EC2 Instance Started With Previously Unseen User - Rule"], "investigation_names": ["ESCU - AWS Investigate Security Hub alerts by dest - Response Task", "ESCU - AWS Investigate User Activities By ARN - Response Task", "ESCU - Get EC2 Instance Details by instanceId - Response Task", "ESCU - Get EC2 Launch Details - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Investigate AWS activities via region name - Response Task"], "baseline_names": ["ESCU - Baseline of Excessive AWS Instances Launched by User - MLTK", "ESCU - Baseline of Excessive AWS Instances Terminated by User - MLTK", "ESCU - Previously Seen EC2 Launches By User", "ESCU - Previously Seen AWS Regions"], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Abnormally High AWS Instances Launched by User", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}]}}, {"name": "Abnormally High AWS Instances Launched by User - MLTK", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}]}}, {"name": "Abnormally High AWS Instances Terminated by User", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}]}}, {"name": "Abnormally High AWS Instances Terminated by User - MLTK", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}]}}, {"name": "EC2 Instance Started In Previously Unseen Region", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "EC2 Instance Started With Previously Unseen User", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}]}}]}, {"name": "Unusual AWS EC2 Modifications", "author": "David Dorsey, Splunk", "date": "2018-04-09", "version": 1, "id": "73de57ef-0dfc-411f-b1e7-fa24428aeae0", "description": "Identify unusual changes to your AWS EC2 instances that may indicate malicious activity. Modifications to your EC2 instances by previously unseen users is an example of an activity that may warrant further investigation.", "narrative": "A common attack technique is to infiltrate a cloud instance and make modifications. The adversary can then secure access to your infrastructure or hide their activities. So it's important to stay alert to changes that may indicate that your environment has been compromised. \\\n Searches within this Analytic Story can help you detect the presence of a threat by monitoring for EC2 instances that have been created or changed--either by users that have never previously performed these activities or by known users who modify or create instances in a way that have not been done before. This story also provides investigative searches that help you go deeper once you detect suspicious behavior.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "tags": {"name": "Unusual AWS EC2 Modifications", "analytic_story": "Unusual AWS EC2 Modifications", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}], "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": [], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - EC2 Instance Modified With Previously Unseen User - Rule"], "investigation_names": ["ESCU - AWS Investigate User Activities By ARN - Response Task", "ESCU - Get EC2 Instance Details by instanceId - Response Task", "ESCU - Get Notable History - Response Task"], "baseline_names": ["ESCU - Previously Seen EC2 Modifications By User"], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "EC2 Instance Modified With Previously Unseen User", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}]}}]}, {"name": "Web Fraud Detection", "author": "Jim Apger, Splunk", "date": "2018-10-08", "version": 1, "id": "18bb45b9-7684-45c6-9e97-1fdd0d98c0a7", "description": "Monitor your environment for activity consistent with common attack techniques bad actors use when attempting to compromise web servers or other web-related assets.", "narrative": "The Federal Bureau of Investigations (FBI) defines Internet fraud as the use of Internet services or software with Internet access to defraud victims or to otherwise take advantage of them. According to the Bureau, Internet crime schemes are used to steal millions of dollars each year from victims and continue to plague the Internet through various methods. The agency includes phishing scams, data breaches, Denial of Service (DOS) attacks, email account compromise, malware, spoofing, and ransomware in this category.\\\nThese crimes are not the fraud itself, but rather the attack techniques commonly employed by fraudsters in their pursuit of data that enables them to commit malicious actssuch as obtaining and using stolen credit cards. They represent a serious problem that is steadily increasing and not likely to go away anytime soon.\\\nWhen developing a strategy for preventing fraud in your environment, its important to  look across all of your web services for evidence that attackers are abusing enterprise resources to enumerate systems, harvest data for secondary fraudulent activity, or abuse terms of service.This Analytic Story looks for evidence of common Internet attack techniques that could be indicative of web fraud in your environmentincluding account harvesting, anomalous user clickspeed, and password sharing across accounts, to name just a few.\\\nThe account-harvesting search focuses on web pages used for user-account registration. It detects the creation of a large number of user accounts using the same email domain name, a type of activity frequently seen in advance of a fraud campaign.\\\nThe anomalous clickspeed search looks for users who are moving through your website at a faster-than-normal speed or with a perfect click cadence (high periodicity or low standard deviation), which could indicate that the user is a script, not an actual human.\\\nAnother search detects incidents wherein a single password is used across multiple accounts, which may indicate that a fraudster has infiltrated your environment and embedded a common password within a script.", "references": ["https://www.fbi.gov/scams-and-safety/common-fraud-schemes/internet-fraud", "https://www.fbi.gov/news/stories/2017-internet-crime-report-released-050718"], "tags": {"name": "Web Fraud Detection", "analytic_story": "Web Fraud Detection", "category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Fraud Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": [], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Web Fraud - Account Harvesting - Rule", "ESCU - Web Fraud - Anomalous User Clickspeed - Rule", "ESCU - Web Fraud - Password Sharing Across Accounts - Rule"], "investigation_names": ["ESCU - Get Emails From Specific Sender - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Web Session Information via session id - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Jim Apger", "detections": [{"name": "Web Fraud - Account Harvesting", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create Account"}]}}, {"name": "Web Fraud - Anomalous User Clickspeed", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Web Fraud - Password Sharing Across Accounts", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "Detect Zerologon Attack", "author": "Rod Soto, Jose Hernandez, Stan Miskowicz, David Dorsey, Shannon Davis Splunk", "date": "2020-09-18", "version": 1, "id": "5d14a962-569e-4578-939f-f386feb63ce4", "description": "Uncover activity related to the execution of Zerologon CVE-2020-11472, a technique wherein attackers target a Microsoft Windows Domain Controller to reset its computer account password. The result from this attack is attackers can now provide themselves high privileges and take over Domain Controller. The included searches in this Analytic Story are designed to identify attempts to reset Domain Controller Computer Account via exploit code remotely or via the use of tool Mimikatz as payload carrier.", "narrative": "This attack is a privilege escalation technique, where attacker targets a Netlogon secure channel connection to a domain controller, using Netlogon Remote Protocol (MS-NRPC). This vulnerability exposes vulnerable Windows Domain Controllers to be targeted via unaunthenticated RPC calls which eventually reset Domain Contoller computer account ($) providing the attacker the opportunity to exfil domain controller credential secrets and assign themselve high privileges that can lead to domain controller and potentially complete network takeover. The detection searches in this Analytic Story use Windows Event viewer events and Sysmon events to detect attack execution, these searches monitor access to the Local Security Authority Subsystem Service (LSASS) process which is an indicator of the use of Mimikatz tool which has bee updated to carry this attack payload.", "references": ["https://attack.mitre.org/wiki/Technique/T1003", "https://github.com/SecuraBV/CVE-2020-1472", "https://www.secura.com/blog/zero-logon", "https://nvd.nist.gov/vuln/detail/CVE-2020-1472"], "tags": {"name": "Detect Zerologon Attack", "analytic_story": "Detect Zerologon Attack", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1210", "mitre_attack_technique": "Exploitation of Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "Dragonfly", "Earth Lusca", "FIN7", "Fox Kitten", "MuddyWater", "Threat Group-3390", "Tonto Team", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}], "mitre_attack_tactics": ["Credential Access", "Initial Access", "Lateral Movement"], "datamodels": [], "kill_chain_phases": ["Delivery", "Exploitation"]}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Detect Computer Changed with Anonymous Account - Rule", "ESCU - Detect Credential Dumping through LSASS access - Rule", "ESCU - Windows Possible Credential Dumping - Rule", "ESCU - Detect Zerologon via Zeek - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": [], "author_company": "Jose Hernandez, Stan Miskowicz, David Dorsey, Shannon Davis Splunk", "author_name": "Rod Soto", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Detect Computer Changed with Anonymous Account", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation of Remote Services"}]}}, {"name": "Detect Credential Dumping through LSASS access", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows Possible Credential Dumping", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Detect Zerologon via Zeek", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}]}, {"name": "Dev Sec Ops", "author": "Patrick Bareiss, Splunk", "date": "2021-08-18", "version": 1, "id": "0ca8c38e-631e-4b81-940c-f9c5450ce41e", "description": "This story is focused around detecting attacks on a DevSecOps lifeccycle which consists of the phases plan, code, build, test, release, deploy, operate and monitor.", "narrative": "DevSecOps is a collaborative framework, which thinks about application and infrastructure security from the start. This means that security tools are part of the continuous integration and continuous deployment pipeline. In this analytics story, we focused on detections around the tools used in this framework such as GitHub as a version control system, GDrive for the documentation, CircleCI as the CI/CD pipeline, Kubernetes as the container execution engine and multiple security tools such as Semgrep and Kube-Hunter.", "references": ["https://www.redhat.com/en/topics/devops/what-is-devsecops"], "tags": {"name": "Dev Sec Ops", "analytic_story": "Dev Sec Ops", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204.003", "mitre_attack_technique": "Malicious Image", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1554", "mitre_attack_technique": "Compromise Client Software Binary", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1195.002", "mitre_attack_technique": "Compromise Software Supply Chain", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT41", "Cobalt Group", "Dragonfly", "FIN7", "GOLD SOUTHFIELD", "Sandworm Team", "Threat Group-3390"]}, {"mitre_attack_id": "T1195", "mitre_attack_technique": "Supply Chain Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1199", "mitre_attack_technique": "Trusted Relationship", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "GOLD SOUTHFIELD", "LAPSUS$", "POLONIUM", "Sandworm Team", "Threat Group-3390", "menuPass"]}, {"mitre_attack_id": "T1195.001", "mitre_attack_technique": "Compromise Software Dependencies and Development Tools", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1567.002", "mitre_attack_technique": "Exfiltration to Cloud Storage", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["Chimera", "Confucius", "Earth Lusca", "FIN7", "HAFNIUM", "HEXANE", "Kimsuky", "Leviathan", "LuminousMoth", "POLONIUM", "Threat Group-3390", "Turla", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1567", "mitre_attack_technique": "Exfiltration Over Web Service", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT28", "Magic Hound"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1212", "mitre_attack_technique": "Exploitation for Credential Access", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1526", "mitre_attack_technique": "Cloud Service Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Credential Access", "Discovery", "Execution", "Exfiltration", "Initial Access", "Persistence"], "datamodels": ["Risk"], "kill_chain_phases": ["Actions on Objectives", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - AWS ECR Container Scanning Findings High - Rule", "ESCU - AWS ECR Container Scanning Findings Low Informational Unknown - Rule", "ESCU - AWS ECR Container Scanning Findings Medium - Rule", "ESCU - AWS ECR Container Upload Outside Business Hours - Rule", "ESCU - AWS ECR Container Upload Unknown User - Rule", "ESCU - Circle CI Disable Security Job - Rule", "ESCU - Circle CI Disable Security Step - Rule", "ESCU - GitHub Actions Disable Security Workflow - Rule", "ESCU - Github Commit Changes In Master - Rule", "ESCU - Github Commit In Develop - Rule", "ESCU - GitHub Dependabot Alert - Rule", "ESCU - GitHub Pull Request from Unknown User - Rule", "ESCU - Gsuite Drive Share In External Email - Rule", "ESCU - GSuite Email Suspicious Attachment - Rule", "ESCU - Gsuite Email Suspicious Subject With Attachment - Rule", "ESCU - Gsuite Email With Known Abuse Web Service Link - Rule", "ESCU - Gsuite Outbound Email With Attachment To External Domain - Rule", "ESCU - Gsuite Suspicious Shared File Name - Rule", "ESCU - Kubernetes Nginx Ingress LFI - Rule", "ESCU - Kubernetes Nginx Ingress RFI - Rule", "ESCU - Kubernetes Scanner Image Pulling - Rule", "ESCU - Risk Rule for Dev Sec Ops by Repository - Rule", "ESCU - Correlation by Repository and Risk - Rule", "ESCU - Correlation by User and Risk - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Patrick Bareiss", "detections": [{"name": "AWS ECR Container Scanning Findings High", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Malicious Image"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "AWS ECR Container Scanning Findings Low Informational Unknown", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Malicious Image"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "AWS ECR Container Scanning Findings Medium", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Malicious Image"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "AWS ECR Container Upload Outside Business Hours", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Malicious Image"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "AWS ECR Container Upload Unknown User", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Malicious Image"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "Circle CI Disable Security Job", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Client Software Binary"}]}}, {"name": "Circle CI Disable Security Step", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Client Software Binary"}]}}, {"name": "GitHub Actions Disable Security Workflow", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Software Supply Chain"}, {"mitre_attack_technique": "Supply Chain Compromise"}]}}, {"name": "Github Commit Changes In Master", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Trusted Relationship"}]}}, {"name": "Github Commit In Develop", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Trusted Relationship"}]}}, {"name": "GitHub Dependabot Alert", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Software Dependencies and Development Tools"}, {"mitre_attack_technique": "Supply Chain Compromise"}]}}, {"name": "GitHub Pull Request from Unknown User", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Software Dependencies and Development Tools"}, {"mitre_attack_technique": "Supply Chain Compromise"}]}}, {"name": "Gsuite Drive Share In External Email", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration to Cloud Storage"}, {"mitre_attack_technique": "Exfiltration Over Web Service"}]}}, {"name": "GSuite Email Suspicious Attachment", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Gsuite Email Suspicious Subject With Attachment", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Gsuite Email With Known Abuse Web Service Link", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Gsuite Outbound Email With Attachment To External Domain", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Gsuite Suspicious Shared File Name", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Kubernetes Nginx Ingress LFI", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Credential Access"}]}}, {"name": "Kubernetes Nginx Ingress RFI", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Credential Access"}]}}, {"name": "Kubernetes Scanner Image Pulling", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Service Discovery"}]}}, {"name": "Risk Rule for Dev Sec Ops by Repository", "source": "cloud", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Malicious Image"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "Correlation by Repository and Risk", "source": "deprecated", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Malicious Image"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "Correlation by User and Risk", "source": "deprecated", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Malicious Image"}, {"mitre_attack_technique": "User Execution"}]}}]}, {"name": "DHS Report TA18-074A", "author": "Rico Valdez, Splunk", "date": "2020-01-22", "version": 2, "id": "0c016e5c-88be-4e2c-8c6c-c2b55b4fb4ef", "description": "Monitor for suspicious activities associated with DHS Technical Alert US-CERT TA18-074A. Some of the activities that adversaries used in these compromises included spearfishing attacks, malware, watering-hole domains, many and more.", "narrative": "The frequency of nation-state cyber attacks has increased significantly over the last decade. Employing numerous tactics and techniques, these attacks continue to escalate in complexity. \\\nThere is a wide range of motivations for these state-sponsored hacks, including stealing valuable corporate, military, or diplomatic data&#1151;all of which could confer advantages in various arenas. They may also target critical infrastructure. \\\nOne joint Technical Alert (TA) issued by the Department of Homeland and the FBI in mid-March of 2018 attributed some cyber activity targeting utility infrastructure to operatives sponsored by the Russian government. The hackers executed spearfishing attacks, installed malware, employed watering-hole domains, and more. While they caused no physical damage, the attacks provoked fears that a nation-state could turn off water, redirect power, or compromise a nuclear power plant.\\\nSuspicious activities--spikes in SMB traffic, processes that launch netsh (to modify the network configuration), suspicious registry modifications, and many more--may all be events you may wish to investigate further. While the use of these technique may be an indication that a nation-state actor is attempting to compromise your environment, it is important to note that these techniques are often employed by other groups, as well.", "references": ["https://www.us-cert.gov/ncas/alerts/TA18-074A"], "tags": {"name": "DHS Report TA18-074A", "analytic_story": "DHS Report TA18-074A", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "Dragonfly", "FIN13", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT", "Wizard Spider"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1071.002", "mitre_attack_technique": "File Transfer Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Dragonfly", "Kimsuky", "SilverTerrier"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Magic Hound", "Rocke", "TeamTNT"]}], "mitre_attack_tactics": ["Command And Control", "Defense Evasion", "Execution", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Command And Control", "Exploitation", "Installation"]}, "detection_names": ["ESCU - First time seen command line argument - Rule", "ESCU - Create local admin accounts using net exe - Rule", "ESCU - Detect New Local Admin account - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Single Letter Process On Endpoint - Rule", "ESCU - Suspicious Reg exe Process - Rule", "ESCU - Detect Outbound SMB Traffic - Rule", "ESCU - SMB Traffic Spike - Rule", "ESCU - SMB Traffic Spike - MLTK - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process File Activity - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Process Information For Port Activity - Response Task"], "baseline_names": ["ESCU - Baseline of SMB Traffic - MLTK", "ESCU - Previously seen command line arguments"], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "First time seen command line argument", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Windows Command Shell"}]}}, {"name": "Create local admin accounts using net exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "Detect New Local Admin account", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Malicious PowerShell Process - Execution Policy Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Processes launching netsh", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Single Letter Process On Endpoint", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "User Execution"}, {"mitre_attack_technique": "Malicious File"}]}}, {"name": "Suspicious Reg exe Process", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Detect Outbound SMB Traffic", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File Transfer Protocols"}, {"mitre_attack_technique": "Application Layer Protocol"}]}}, {"name": "SMB Traffic Spike", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "SMB Traffic Spike - MLTK", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Remote Services"}]}}]}, {"name": "Disabling Security Tools", "author": "Rico Valdez, Splunk", "date": "2020-02-04", "version": 2, "id": "fcc27099-46a0-46b0-a271-5c7dab56b6f1", "description": "Looks for activities and techniques associated with the disabling of security tools on a Windows system, such as suspicious `reg.exe` processes, processes launching netsh, and many others.", "narrative": "Attackers employ a variety of tactics in order to avoid detection and operate without barriers. This often involves modifying the configuration of security tools to get around them or explicitly disabling them to prevent them from running. This Analytic Story includes searches that look for activity consistent with attackers attempting to disable various security mechanisms. Such activity may involve monitoring for suspicious registry activity, as this is where much of the configuration for Windows and various other programs reside, or explicitly attempting to shut down security-related services. Other times, attackers attempt various tricks to prevent specific programs from running, such as adding the certificates with which the security tools are signed to a block list (which would prevent them from running).", "references": ["https://attack.mitre.org/wiki/Technique/T1089", "https://blog.malwarebytes.com/cybercrime/2015/11/vonteera-adware-uses-certificates-to-disable-anti-malware/", "https://web.archive.org/web/20220425194457/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Tools-Report.pdf"], "tags": {"name": "Disabling Security Tools", "analytic_story": "Disabling Security Tools", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1553.004", "mitre_attack_technique": "Install Root Certificate", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1553", "mitre_attack_technique": "Subvert Trust Controls", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Axiom"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}], "mitre_attack_tactics": ["Defense Evasion", "Discovery", "Execution", "Impact", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Attempt To Add Certificate To Untrusted Store - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Suspicious Reg exe Process - Rule", "ESCU - Unload Sysmon Filter Driver - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": ["ESCU - Baseline of SMB Traffic - MLTK", "ESCU - Previously seen command line arguments"], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Attempt To Add Certificate To Untrusted Store", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Install Root Certificate"}, {"mitre_attack_technique": "Subvert Trust Controls"}]}}, {"name": "Attempt To Stop Security Service", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Processes launching netsh", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious Reg exe Process", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Unload Sysmon Filter Driver", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "System Network Connections Discovery"}, {"mitre_attack_technique": "System Owner/User Discovery"}, {"mitre_attack_technique": "System Shutdown/Reboot"}, {"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}]}, {"name": "DNS Amplification Attacks", "author": "Bhavin Patel, Splunk", "date": "2016-09-13", "version": 1, "id": "a563972b-d2e2-4978-b6ca-6e83e24af4d3", "description": "DNS poses a serious threat as a Denial of Service (DOS) amplifier, if it responds to `ANY` queries. This Analytic Story can help you detect attackers who may be abusing your company's DNS infrastructure to launch amplification attacks, causing Denial of Service to other victims.", "narrative": "The Domain Name System (DNS) is the protocol used to map domain names to IP addresses. It has been proven to work very well for its intended function. However if DNS is misconfigured, servers can be abused by attackers to levy amplification or redirection attacks against victims. Because DNS responses to `ANY` queries are so much larger than the queries themselves--and can be made with a UDP packet, which does not require a handshake--attackers can spoof the source address of the packet and cause much more data to be sent to the victim than if they sent the traffic themselves. The `ANY` requests are will be larger than normal DNS server requests, due to the fact that the server provides significant details, such as MX records and associated IP addresses. A large volume of this traffic can result in a DOS on the victim's machine. This misconfiguration leads to two possible victims, the first being the DNS servers participating in an attack and the other being the hosts that are the targets of the DOS attack.\\\nThe search in this story can help you to detect if attackers are abusing your company's DNS infrastructure to launch DNS amplification attacks causing Denial of Service to other victims.", "references": ["https://www.us-cert.gov/ncas/alerts/TA13-088A", "https://www.imperva.com/learn/application-security/dns-amplification/"], "tags": {"name": "DNS Amplification Attacks", "analytic_story": "DNS Amplification Attacks", "category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1498", "mitre_attack_technique": "Network Denial of Service", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1498.002", "mitre_attack_technique": "Reflection Amplification", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Impact"], "datamodels": ["Network_Resolution"], "kill_chain_phases": ["Actions on Objectives"]}, "detection_names": ["ESCU - Large Volume of DNS ANY Queries - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Large Volume of DNS ANY Queries", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Network Denial of Service"}, {"mitre_attack_technique": "Reflection Amplification"}]}}]}, {"name": "DNS Hijacking", "author": "Bhavin Patel, Splunk", "date": "2020-02-04", "version": 1, "id": "8169f17b-ef68-4b59-aa28-586907301221", "description": "Secure your environment against DNS hijacks with searches that help you detect and investigate unauthorized changes to DNS records.", "narrative": "Dubbed the Achilles heel of the Internet (see https://www.f5.com/labs/articles/threat-intelligence/dns-is-still-the-achilles-heel-of-the-internet-25613), DNS plays a critical role in routing web traffic but is notoriously vulnerable to attack. One reason is its distributed nature. It relies on unstructured connections between millions of clients and servers over inherently insecure protocols.\\\nThe gravity and extent of the importance of securing DNS from attacks is undeniable. The fallout of compromised DNS can be disastrous. Not only can hackers bring down an entire business, they can intercept confidential information, emails, and login credentials, as well. \\\nOn January 22, 2019, the US Department of Homeland Security 2019's Cybersecurity and Infrastructure Security Agency (CISA) raised awareness of some high-profile DNS hijacking attacks against infrastructure, both in the United States and abroad. It issued Emergency Directive 19-01 (see https://cyber.dhs.gov/ed/19-01/), which summarized the activity and required government agencies to take the following four actions, all within 10 days: \\\n1. For all .gov or other agency-managed domains, audit public DNS records on all authoritative and secondary DNS servers, verify that they resolve to the intended location or report them to CISA.\\\n1. Update the passwords for all accounts on systems that can make changes to each agency 2019's DNS records.\\\n1. Implement multi-factor authentication (MFA) for all accounts on systems that can make changes to each agency's 2019 DNS records or, if impossible, provide CISA with the names of systems, the reasons why MFA cannot be enabled within the required timeline, and an ETA for when it can be enabled.\\\n1. CISA will begin regular delivery of newly added certificates to Certificate Transparency (CT) logs for agency domains via the Cyber Hygiene service. Upon receipt, agencies must immediately begin monitoring CT log data for certificates issued that they did not request. If an agency confirms that a certificate was unauthorized, it must report the certificate to the issuing certificate authority and to CISA. Of course, it makes sense to put equivalent actions in place within your environment, as well. \\\nIn DNS hijacking, the attacker assumes control over an account or makes use of a DNS service exploit to make changes to DNS records. Once they gain access, attackers can substitute their own MX records, name-server records, and addresses, redirecting emails and traffic through their infrastructure, where they can read, copy, or modify information seen. They can also generate valid encryption certificates to help them avoid browser-certificate checks. In one notable attack on the Internet service provider, GoDaddy, the hackers altered Sender Policy Framework (SPF) records a relatively minor change that did not inflict excessive damage but allowed for more effective spam campaigns.\\\nThe searches in this Analytic Story help you detect and investigate activities that may indicate that DNS hijacking has taken place within your environment.", "references": ["https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", "https://umbrella.cisco.com/blog/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/", "http://www.noip.com/blog/2014/07/11/dynamic-dns-can-use-2/", "https://www.splunk.com/blog/2015/08/04/detecting-dynamic-dns-domains-in-splunk.html"], "tags": {"name": "DNS Hijacking", "analytic_story": "DNS Hijacking", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1071.004", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT39", "APT41", "Chimera", "Cobalt Group", "FIN7", "Ke3chang", "LazyScripter", "OilRig", "Tropic Trooper"]}, {"mitre_attack_id": "T1568.002", "mitre_attack_technique": "Domain Generation Algorithms", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "TA551"]}, {"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}], "mitre_attack_tactics": ["Command And Control", "Exfiltration", "Initial Access"], "datamodels": ["Network_Resolution"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery"]}, "detection_names": ["ESCU - Clients Connecting to Multiple DNS Servers - Rule", "ESCU - DNS Query Requests Resolved by Unauthorized DNS Servers - Rule", "ESCU - DNS record changed - Rule", "ESCU - Detect DGA domains using pretrained model in DSDL - Rule", "ESCU - Detect DNS Data Exfiltration using pretrained model in DSDL - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule", "ESCU - Detect suspicious DNS TXT records using pretrained model in DSDL - Rule"], "investigation_names": ["ESCU - Get DNS Server History for a host - Response Task"], "baseline_names": ["ESCU - Discover DNS records"], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Clients Connecting to Multiple DNS Servers", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}}, {"name": "DNS Query Requests Resolved by Unauthorized DNS Servers", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DNS"}]}}, {"name": "DNS record changed", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DNS"}]}}, {"name": "Detect DGA domains using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Generation Algorithms"}]}}, {"name": "Detect DNS Data Exfiltration using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}}, {"name": "Detect hosts connecting to dynamic domain providers", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}, {"name": "Detect suspicious DNS TXT records using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Generation Algorithms"}]}}]}, {"name": "sAMAccountName Spoofing and Domain Controller Impersonation", "author": "Mauricio Velazco, Splunk", "date": "2021-12-20", "version": 1, "id": "0244fdee-61be-11ec-900e-acde48001122", "description": "Monitor for activities and techniques associated with the exploitation of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287) vulnerabilities.", "narrative": "On November 9, 2021, Microsoft released patches to address two vulnerabilities that affect Windows Active Directory networks, sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287). On December 10, 2021, security researchers Charlie Clark and Andrew Schwartz released a blog post where they shared how to weaponise these vulnerabilities in a target network an the initial detection opportunities. When successfully exploited, CVE-2021-42278 and CVE-2021-42287 allow an adversary, who has stolen the credentials of a low priviled domain user, to obtain a Kerberos Service ticket for a Domain Controller computer account. The only requirement is to have network connectivity to a domain controller. This attack vector effectivelly allows attackers to escalate their privileges in an Active Directory from a regular domain user account and take control of a domain controller. While patches have been released to address these vulnerabilities, deploying detection controls for this attack may help help defenders identify attackers attempting exploitation.", "references": ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42278", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42287", "https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html"], "tags": {"name": "sAMAccountName Spoofing and Domain Controller Impersonation", "analytic_story": "sAMAccountName Spoofing and Domain Controller Impersonation", "category": ["Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "Chimera", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "Volt Typhoon", "Wizard Spider"]}], "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": [], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Suspicious Computer Account Name Change - Rule", "ESCU - Suspicious Kerberos Service Ticket Request - Rule", "ESCU - Suspicious Ticket Granting Ticket Request - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "Suspicious Computer Account Name Change", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Domain Accounts"}]}}, {"name": "Suspicious Kerberos Service Ticket Request", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Domain Accounts"}]}}, {"name": "Suspicious Ticket Granting Ticket Request", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Domain Accounts"}]}}]}, {"name": "Domain Trust Discovery", "author": "Michael Haag, Splunk", "date": "2021-03-25", "version": 1, "id": "e6f30f14-8daf-11eb-a017-acde48001122", "description": "Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments.", "narrative": "Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain. Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct SID-History Injection, Pass the Ticket, and Kerberoasting. Domain trusts can be enumerated using the DSEnumerateDomainTrusts() Win32 API call, .NET methods, and LDAP. The Windows utility Nltest is known to be used by adversaries to enumerate domain trusts.", "references": ["https://attack.mitre.org/techniques/T1482/"], "tags": {"name": "Domain Trust Discovery", "analytic_story": "Domain Trust Discovery", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Discovery"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - DSQuery Domain Discovery - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Windows AdFind Exe - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "DSQuery Domain Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Trust Discovery"}]}}, {"name": "NLTest Domain Trust Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Trust Discovery"}]}}, {"name": "Windows AdFind Exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}]}, {"name": "Double Zero Destructor", "author": "Teoderick Contreras, Rod Soto, Splunk", "date": "2022-03-25", "version": 1, "id": "f56e8c00-3224-4955-9a6e-924ec7da1df7", "description": "Double Zero Destructor is a destructive payload that enumerates Domain Controllers and executes killswitch if detected. Overwrites files with Zero blocks or using MS Windows API calls such as NtFileOpen, NtFSControlFile. This payload also deletes registry hives HKCU,HKLM, HKU, HKLM BCD.", "narrative": "Double zero destructor enumerates domain controllers, delete registry hives and overwrites files using zero blocks and API calls.", "references": ["https://cert.gov.ua/article/38088", "https://blog.talosintelligence.com/2022/03/threat-advisory-doublezero.html"], "tags": {"name": "Double Zero Destructor", "analytic_story": "Double Zero Destructor", "category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}], "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Deleted Registry By A Non Critical Process File Path - Rule", "ESCU - Windows Terminating Lsass Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto, Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Windows Deleted Registry By A Non Critical Process File Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Terminating Lsass Process", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}]}, {"name": "Dynamic DNS", "author": "Bhavin Patel, Splunk", "date": "2018-09-06", "version": 2, "id": "8169f17b-ef68-4b59-aae8-586907301221", "description": "Detect and investigate hosts in your environment that may be communicating with dynamic domain providers. Attackers may leverage these services to help them avoid firewall blocks and deny lists.", "narrative": "Dynamic DNS services (DDNS) are legitimate low-cost or free services that allow users to rapidly update domain resolutions to IP infrastructure. While their usage can be benign, malicious actors can abuse DDNS to host harmful payloads or interactive-command-and-control infrastructure. These attackers will manually update or automate domain resolution changes by routing dynamic domains to IP addresses that circumvent firewall blocks and deny lists and frustrate a network defender's analytic and investigative processes. These searches will look for DNS queries made from within your infrastructure to suspicious dynamic domains and then investigate more deeply, when appropriate. While this list of top-level dynamic domains is not exhaustive, it can be dynamically updated as new suspicious dynamic domains are identified.", "references": ["https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", "https://umbrella.cisco.com/blog/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/", "http://www.noip.com/blog/2014/07/11/dynamic-dns-can-use-2/", "https://www.splunk.com/blog/2015/08/04/detecting-dynamic-dns-domains-in-splunk.html"], "tags": {"name": "Dynamic DNS", "analytic_story": "Dynamic DNS", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1071.001", "mitre_attack_technique": "Web Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Confucius", "Dark Caracal", "FIN13", "FIN4", "FIN8", "Gamaredon Group", "HAFNIUM", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LuminousMoth", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "OilRig", "Orangeworm", "Rancor", "Rocke", "Sandworm Team", "Sidewinder", "SilverTerrier", "Stealth Falcon", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "WIRTE", "Windshift", "Wizard Spider"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1568.002", "mitre_attack_technique": "Domain Generation Algorithms", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "TA551"]}, {"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}], "mitre_attack_tactics": ["Command And Control", "Exfiltration", "Initial Access"], "datamodels": ["Endpoint", "Network_Resolution", "Web"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery"]}, "detection_names": ["ESCU - Detect web traffic to dynamic domain providers - Rule", "ESCU - DNS Exfiltration Using Nslookup App - Rule", "ESCU - Excessive Usage of NSLOOKUP App - Rule", "ESCU - Detect DGA domains using pretrained model in DSDL - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule"], "investigation_names": ["ESCU - Get DNS Server History for a host - Response Task", "ESCU - Get DNS traffic ratio - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Process Responsible For The DNS Traffic - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect web traffic to dynamic domain providers", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Web Protocols"}]}}, {"name": "DNS Exfiltration Using Nslookup App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Excessive Usage of NSLOOKUP App", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Detect DGA domains using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Generation Algorithms"}]}}, {"name": "Detect hosts connecting to dynamic domain providers", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}]}, {"name": "Emotet Malware  DHS Report TA18-201A ", "author": "Bhavin Patel, Splunk", "date": "2020-01-27", "version": 1, "id": "bb9f5ed2-916e-4364-bb6d-91c310efcf52", "description": "Detect rarely used executables, specific registry paths that may confer malware survivability and persistence, instances where cmd.exe is used to launch script interpreters, and other indicators that the Emotet financial malware has compromised your environment.", "narrative": "The trojan downloader known as Emotet first surfaced in 2014, when it was discovered targeting the banking industry to steal credentials. However, according to a joint technical alert (TA) issued by three government agencies (https://www.us-cert.gov/ncas/alerts/TA18-201A), Emotet has evolved far beyond those beginnings to become what a ThreatPost article called a threat-delivery service(see https://threatpost.com/emotet-malware-evolves-beyond-banking-to-threat-delivery-service/134342/).  For example, in early 2018, Emotet was found to be using its loader function to spread the Quakbot and Ransomware variants. \\\nAccording to the TA, the the malware continues to be among the most costly and destructive malware affecting the private and public sectors. Researchers have linked it to the threat group Mealybug, which has also been on the security communitys radar since 2014.\\\nThe searches in this Analytic Story will help you find executables that are rarely used in your environment, specific registry paths that malware often uses to ensure survivability and persistence, instances where cmd.exe is used to launch script interpreters, and other indicators that Emotet or other malware has compromised your environment. ", "references": ["https://www.us-cert.gov/ncas/alerts/TA18-201A", "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", "https://www.vkremez.com/2017/05/emotet-banking-trojan-malware-analysis.html"], "tags": {"name": "Emotet Malware  DHS Report TA18-201A ", "analytic_story": "Emotet Malware  DHS Report TA18-201A ", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1072", "mitre_attack_technique": "Software Deployment Tools", "mitre_attack_tactics": ["Execution", "Lateral Movement"], "mitre_attack_groups": ["APT32", "Sandworm Team", "Silence", "Threat Group-1314"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}], "mitre_attack_tactics": ["Execution", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Email", "Endpoint", "Network_Traffic"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Email Attachments With Lots Of Spaces - Rule", "ESCU - Suspicious Email Attachment Extensions - Rule", "ESCU - Prohibited Software On Endpoint - Rule", "ESCU - Detect Use of cmd exe to Launch Script Interpreters - Rule", "ESCU - Detection of tools built by NirSoft - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - SMB Traffic Spike - Rule", "ESCU - SMB Traffic Spike - MLTK - Rule"], "investigation_names": ["ESCU - Get History Of Email Sources - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Process Information For Port Activity - Response Task"], "baseline_names": ["ESCU - Baseline of SMB Traffic - MLTK", "ESCU - Add Prohibited Processes to Enterprise Security"], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Email Attachments With Lots Of Spaces", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Suspicious Email Attachment Extensions", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Prohibited Software On Endpoint", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Detect Use of cmd exe to Launch Script Interpreters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}]}}, {"name": "Detection of tools built by NirSoft", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Software Deployment Tools"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "SMB Traffic Spike", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "SMB Traffic Spike - MLTK", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Remote Services"}]}}]}, {"name": "F5 Authentication Bypass with TMUI", "author": "Michael Haag, Splunk", "date": "2023-10-30", "version": 1, "id": "e4acbea6-75bb-4873-8c22-bc2da9525e89", "description": "Research into leading software revealed vulnerabilities in both Apache Tomcat and the F5 BIG-IP suite. Apache's AJP protocol vulnerability, designated CVE-2022-26377, relates to AJP request smuggling. Successful exploitation enables unauthorized system activities. F5 BIG-IP Virtual Edition exhibited a distinct vulnerability, an authentication bypass in the Traffic Management User Interface (TMUI), resulting in system compromise. Assigned CVE-2023-46747, this vulnerability also arose from request smuggling, bearing similarity to CVE-2022-26377. Given the wide adoption of both Apache Tomcat and F5 products, these vulnerabilities present grave risks to organizations. Remediation and vulnerability detection mechanisms are essential to address these threats effectively.", "narrative": "Both Apache Tomcat's AJP protocol and F5's BIG-IP Virtual Edition have been exposed to critical vulnerabilities. Apache's CVE-2022-26377 pertains to request smuggling by manipulating the \"Transfer-Encoding\" header. If successfully exploited, this allows attackers to bypass security controls and undertake unauthorized actions. \\\nSimilarly, F5 BIG-IP unveiled an authentication bypass vulnerability, CVE-2023-46747. Originating from the TMUI, this vulnerability leads to full system compromise. While distinct, it shares characteristics with Apache's vulnerability, primarily rooted in request smuggling. This vulnerability drew from past F5 CVEs, particularly CVE-2020-5902 and CVE-2022-1388, both previously exploited in real-world scenarios. These highlighted vulnerabilities in Apache HTTP and Apache Tomcat services, as well as authentication flaws in the F5 BIG-IP API.\\\nNuclei detection templates offer a proactive solution for identifying and mitigating these vulnerabilities. Integrated into vulnerability management frameworks, these templates notify organizations of potential risks, forming a base for further detection strategies. For detection engineers, understanding these vulnerabilities is crucial. Recognizing the mechanisms and effects of request smuggling, especially in Apache's and F5's context, provides a roadmap to effective detection and response. Prompt detection is a linchpin, potentially stymieing further, more destructive attacks.", "references": ["https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/", "https://github.com/projectdiscovery/nuclei-templates/blob/3b0bb71bd627c6c3139e1d06c866f8402aa228ae/http/cves/2023/CVE-2023-46747.yaml"], "tags": {"name": "F5 Authentication Bypass with TMUI", "analytic_story": "F5 Authentication Bypass with TMUI", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Web"], "kill_chain_phases": []}, "detection_names": ["ESCU - F5 TMUI Authentication Bypass - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "F5 TMUI Authentication Bypass", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "F5 BIG-IP Vulnerability CVE-2022-1388", "author": "Michael Haag, Splunk", "date": "2022-05-10", "version": 1, "id": "0367b177-f8d6-4c4b-a62d-86f52a590bff", "description": "CVE-2022-1388 is a unauthenticated remote code execution vulnerablity against BIG-IP iControl REST API.", "narrative": "CVE-2022-1388 is a critical vulnerability (CVSS 9.8) in the management interface of F5 Networks'' BIG-IP solution that enables an unauthenticated attacker to gain remote code execution on the system through bypassing F5''s iControl REST authentication. The vulnerability was first discovered by F5''s internal product security team and disclosed publicly on May 4, 2022, per Randori. This vulnerability,CVE-2022-1388, may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only per F5 article K23605346. Is CVE-2022-1388 Exploitable? Yes. There are now multiple POC scripts available and reports of threat actors scanning and potentially exploiting the vulnerablity. Per Randori the specific interface needed to exploit this vulnerability is rarely publicly exposed, and the risk to most organizations of exploitation by an unauthenticated external actor is low.", "references": ["https://github.com/dk4trin/templates-nuclei/blob/main/CVE-2022-1388.yaml", "https://www.randori.com/blog/vulnerability-analysis-cve-2022-1388/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1388", "https://twitter.com/da_667/status/1523770267327250438?s=20&t=-JnB_aNWuJFsmcOmxGUWLQ", "https://github.com/horizon3ai/CVE-2022-1388/blob/main/CVE-2022-1388.py"], "tags": {"name": "F5 BIG-IP Vulnerability CVE-2022-1388", "analytic_story": "F5 BIG-IP Vulnerability CVE-2022-1388", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}], "mitre_attack_tactics": ["Initial Access", "Persistence"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery", "Installation"]}, "detection_names": ["ESCU - F5 BIG-IP iControl REST Vulnerability CVE-2022-1388 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "F5 BIG-IP iControl REST Vulnerability CVE-2022-1388", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}]}, {"name": "F5 TMUI RCE CVE-2020-5902", "author": "Shannon Davis, Splunk", "date": "2020-08-02", "version": 1, "id": "7678c968-d46e-11ea-87d0-0242ac130003", "description": "Uncover activity consistent with CVE-2020-5902. Discovered by Positive Technologies researchers, this vulnerability affects F5 BIG-IP, BIG-IQ. and Traffix SDC devices (vulnerable versions in F5 support link below). This vulnerability allows unauthenticated users, along with authenticated users, who have access to the configuration utility to execute system commands, create/delete files, disable services, and/or execute Java code.  This vulnerability can result in full system compromise.", "narrative": "A client is able to perform a remote code execution on an exposed and vulnerable system. The detection search in this Analytic Story uses syslog to detect the malicious behavior. Syslog is going to be the best detection method, as any systems using SSL to protect their management console will make detection via wire data difficult.  The searches included used Splunk Connect For Syslog (https://splunkbase.splunk.com/app/4740/), and used a custom destination port to help define the data as F5 data (covered in https://splunk-connect-for-syslog.readthedocs.io/en/master/sources/F5/)", "references": ["https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/", "https://support.f5.com/csp/article/K52145254", "https://blog.cloudflare.com/cve-2020-5902-helping-to-protect-against-the-f5-tmui-rce-vulnerability/"], "tags": {"name": "F5 TMUI RCE CVE-2020-5902", "analytic_story": "F5 TMUI RCE CVE-2020-5902", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": [], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - Detect F5 TMUI RCE CVE-2020-5902 - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Shannon Davis", "detections": [{"name": "Detect F5 TMUI RCE CVE-2020-5902", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}]}, {"name": "FIN7", "author": "Teoderick Contreras, Splunk", "date": "2021-09-14", "version": 1, "id": "df2b00d3-06ba-49f1-b253-b19cef19b569", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the FIN7 JS Implant and JSSLoader, including looking for Image Loading of ldap and wmi modules, associated with its payload, data collection and script execution.", "narrative": "FIN7 is a Russian criminal advanced persistent threat group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since mid-2015. A portion of FIN7 is run out of the front company Combi Security. It has been called one of the most successful criminal hacking groups in the world. this passed few day FIN7 tools and implant are seen in the wild where its code is updated. the FIN& is known to use the spear phishing attack as a entry to targetted network or host that will drop its staging payload like the JS and JSSloader. Now this artifacts and implants seen downloading other malware like cobaltstrike and event ransomware to encrypt host.", "references": ["https://en.wikipedia.org/wiki/FIN7", "https://threatpost.com/fin7-windows-11-release/169206/", "https://www.proofpoint.com/us/blog/threat-insight/jssloader-recoded-and-reloaded"], "tags": {"name": "FIN7", "analytic_story": "FIN7", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MoustachedBouncer", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059.005", "mitre_attack_technique": "Visual Basic", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT33", "APT37", "APT38", "APT39", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Earth Lusca", "FIN13", "FIN4", "FIN7", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "Transparent Tribe", "Turla", "WIRTE", "Windshift"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1134.004", "mitre_attack_technique": "Parent PID Spoofing", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1220", "mitre_attack_technique": "XSL Script Processing", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group", "Higaisa"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Discovery", "Execution", "Impact", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": ["Actions on Objectives", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Check Elevated CMD using whoami - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Jscript Execution Using Cscript App - Rule", "ESCU - MS Scripting Process Loading Ldap Module - Rule", "ESCU - MS Scripting Process Loading WMI Module - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Application Drop Executable - Rule", "ESCU - Office Product Spawning Wmic - Rule", "ESCU - Vbscript Execution Using Wscript App - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule", "ESCU - XSL Script Execution With WMIC - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Check Elevated CMD using whoami", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Owner/User Discovery"}]}}, {"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}}, {"name": "Jscript Execution Using Cscript App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}}, {"name": "MS Scripting Process Loading Ldap Module", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}}, {"name": "MS Scripting Process Loading WMI Module", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}}, {"name": "Office Application Drop Executable", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning Wmic", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Vbscript Execution Using Wscript App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "System Network Connections Discovery"}, {"mitre_attack_technique": "System Owner/User Discovery"}, {"mitre_attack_technique": "System Shutdown/Reboot"}, {"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Wscript Or Cscript Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Parent PID Spoofing"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}, {"name": "XSL Script Execution With WMIC", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "XSL Script Processing"}]}}]}, {"name": "Flax Typhoon", "author": "Michael Haag, Splunk", "date": "2023-08-25", "version": 1, "id": "78fadce9-a07f-4508-8d14-9b20052a62cc", "description": "Microsoft has identified a nation-state activity group, Flax Typhoon, based in China, targeting Taiwanese organizations for espionage. The group maintains long-term access to networks with minimal use of malware, relying on built-in OS tools and benign software. The group's activities are primarily focused on Taiwan, but the techniques used could be easily reused in other operations outside the region. Microsoft has not observed Flax Typhoon using this access to conduct additional actions.", "narrative": "Flax Typhoon has been active since mid-2021, targeting government agencies, education, critical manufacturing, and IT organizations in Taiwan. The group uses the China Chopper web shell, Metasploit, Juicy Potato privilege escalation tool, Mimikatz, and SoftEther VPN client. However, they primarily rely on living-off-the-land techniques and hands-on-keyboard activity. Initial access is achieved by exploiting known vulnerabilities in public-facing servers and deploying web shells. Following initial access, Flax Typhoon uses command-line tools to establish persistent access over the remote desktop protocol, deploy a VPN connection to actor-controlled network infrastructure, and collect credentials from compromised systems. The group also uses this VPN access to scan for vulnerabilities on targeted systems and organizations from the compromised systems.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/"], "tags": {"name": "Flax Typhoon", "analytic_story": "Flax Typhoon", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1197", "mitre_attack_technique": "BITS Jobs", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["APT39", "APT41", "Leviathan", "Patchwork", "Wizard Spider"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1546.008", "mitre_attack_technique": "Accessibility Features", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT3", "APT41", "Axiom", "Deep Panda", "Fox Kitten"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Defense Evasion", "Execution", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command And Control", "Exploitation", "Installation"]}, "detection_names": ["ESCU - BITSAdmin Download File - Rule", "ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Overwriting Accessibility Binaries - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows SQL Spawning CertUtil - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "BITSAdmin Download File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "BITS Jobs"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Overwriting Accessibility Binaries", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Accessibility Features"}]}}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}, {"name": "Windows Mimikatz Binary Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Windows SQL Spawning CertUtil", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}]}, {"name": "Forest Blizzard", "author": "Michael Haag, Splunk", "date": "2023-09-11", "version": 1, "id": "2c1aceda-f0a5-4c83-8543-e23ec1466958", "description": "CERT-UA has unveiled a cyberattack on Ukraine's energy infrastructure, orchestrated via deceptive emails. These emails, once accessed, lead to a multi-stage cyber operation downloading and executing malicious payloads. Concurrently, Zscaler's \"Steal-It\" campaign detection revealed striking similarities, hinting at a shared origin - APT28 or Fancy Bear. This notorious group, linked to Russia's GRU, utilizes legitimate platforms like Mockbin, making detection challenging. Their operations underline the evolving cyber threat landscape and stress the importance of advanced defenses.", "narrative": "APT28, also known as Fancy Bear, blends stealth and expertise in its cyber operations. Affiliated with Russia's GRU, their signature move involves spear-phishing emails, leading to multi-tiered cyberattacks. In Ukraine's recent breach, a ZIP archive's execution triggered a series of actions, culminating in information flow redirection via the TOR network. Simultaneously, Zscaler's \"Steal-It\" campaign pinpointed similar tactics, specifically targeting NTLMv2 hashes. This campaign used ZIP archives containing LNK files to exfiltrate data via Mockbin. APT28's hallmark is their \"Living Off The Land\" strategy, manipulating legitimate tools and services to blend in, evading detection. Their innovative tactics, coupled with a geofencing focus on specific regions, make them a formidable cyber threat, highlighting the urgent need for advanced defense strategies.", "references": ["https://cert.gov.ua/article/5702579", "https://www.zscaler.com/blogs/security-research/steal-it-campaign", "https://attack.mitre.org/groups/G0007/"], "tags": {"name": "Forest Blizzard", "analytic_story": "Forest Blizzard", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1140", "mitre_attack_technique": "Deobfuscate/Decode Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT39", "BRONZE BUTLER", "Darkhotel", "Earth Lusca", "FIN13", "Gamaredon Group", "Gorgon Group", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Molerats", "MuddyWater", "OilRig", "Rocke", "Sandworm Team", "TA505", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "WIRTE", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1564.003", "mitre_attack_technique": "Hidden Window", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "CopyKittens", "DarkHydrus", "Deep Panda", "Gamaredon Group", "Gorgon Group", "Higaisa", "Kimsuky", "Magic Hound", "Nomadic Octopus"]}], "mitre_attack_tactics": ["Command And Control", "Defense Evasion", "Execution"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command And Control", "Exploitation", "Installation"]}, "detection_names": ["ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - CertUtil With Decode Argument - Rule", "ESCU - CHCP Command Execution - Rule", "ESCU - Headless Browser Mockbin or Mocky Request - Rule", "ESCU - Headless Browser Usage - Rule", "ESCU - Windows Curl Download to Suspicious Path - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "CertUtil With Decode Argument", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Deobfuscate/Decode Files or Information"}]}}, {"name": "CHCP Command Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Headless Browser Mockbin or Mocky Request", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hidden Window"}]}}, {"name": "Headless Browser Usage", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hidden Window"}]}}, {"name": "Windows Curl Download to Suspicious Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}]}, {"name": "Fortinet FortiNAC CVE-2022-39952", "author": "Michael Haag, Splunk", "date": "2023-02-21", "version": 1, "id": "2833a527-3b7f-41af-a950-39f7bbaff819", "description": "On Thursday, 16 February 2023, Fortinet released a PSIRT that details CVE-2022-39952, a critical vulnerability affecting its FortiNAC product (Horizon3.ai).", "narrative": "This vulnerability, discovered by Gwendal Guegniaud of Fortinet, allows an unauthenticated attacker to write arbitrary files on the system and as a result obtain remote code execution in the context of the root user (Horizon3.ai). Impacting FortiNAC, is tracked as CVE-2022-39952 and has a CVSS v3 score of 9.8 (critical). FortiNAC is a network access control solution that helps organizations gain real time network visibility, enforce security policies, and detect and mitigate threats. An external control of file name or path vulnerability CWE-73 in FortiNAC webserver may allow an unauthenticated attacker to perform arbitrary write on the system, reads the security advisory.", "references": ["https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/", "https://viz.greynoise.io/tag/fortinac-rce-attempt?days=30", "https://www.bleepingcomputer.com/news/security/fortinet-fixes-critical-rce-flaws-in-fortinac-and-fortiweb/"], "tags": {"name": "Fortinet FortiNAC CVE-2022-39952", "analytic_story": "Fortinet FortiNAC CVE-2022-39952", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}], "mitre_attack_tactics": ["Initial Access", "Persistence"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery", "Installation"]}, "detection_names": ["ESCU - Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}]}, {"name": "GCP Account Takeover", "author": "Mauricio Velazco, Bhavin Patel, Splunk", "date": "2022-10-12", "version": 1, "id": "8601caff-414f-4c6d-9a04-75b66778869d", "description": "Monitor for activities and techniques associated with Account Takover attacks against Google Cloud Platform tenants.", "narrative": "Account Takeover (ATO) is an attack whereby cybercriminals gain unauthorized access to online accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. By posing as the real user, cyber-criminals can change account details, send out phishing emails, steal financial information or sensitive data, or use any stolen information to access further accounts within the organization. This analytic storic groups detections that can help security operations teams identify the potential compromise of Azure Active Directory accounts.", "references": ["https://cloud.google.com/gcp", "https://cloud.google.com/architecture/identity/overview-google-authentication", "https://attack.mitre.org/techniques/T1586/", "https://www.imperva.com/learn/application-security/account-takeover-ato/", "https://www.barracuda.com/glossary/account-takeover"], "tags": {"name": "GCP Account Takeover", "analytic_story": "GCP Account Takeover", "category": ["Account Compromise"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1556.006", "mitre_attack_technique": "Multi-Factor Authentication", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation", "Resource Development"], "datamodels": [], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"]}, "detection_names": ["ESCU - GCP Authentication Failed During MFA Challenge - Rule", "ESCU - GCP Multi-Factor Authentication Disabled - Rule", "ESCU - GCP Multiple Failed MFA Requests For User - Rule", "ESCU - GCP Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - GCP Successful Single-Factor Authentication - Rule", "ESCU - GCP Unusual Number of Failed Authentications From Ip - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Bhavin Patel, Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "GCP Authentication Failed During MFA Challenge", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}}, {"name": "GCP Multi-Factor Authentication Disabled", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Modify Authentication Process"}, {"mitre_attack_technique": "Multi-Factor Authentication"}]}}, {"name": "GCP Multiple Failed MFA Requests For User", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}]}}, {"name": "GCP Multiple Users Failing To Authenticate From Ip", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}}, {"name": "GCP Successful Single-Factor Authentication", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}]}}, {"name": "GCP Unusual Number of Failed Authentications From Ip", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}}]}, {"name": "GCP Cross Account Activity", "author": "Rod Soto, Splunk", "date": "2020-09-01", "version": 1, "id": "0432039c-ef41-4b03-b157-450c25dad1e6", "description": "Track when a user assumes an IAM role in another GCP account to obtain cross-account access to services and resources in that account. Accessing new roles could be an indication of malicious activity.", "narrative": "Google Cloud Platform (GCP) admins manage access to GCP resources and services across the enterprise using GCP Identity and Access Management (IAM) functionality. IAM provides the ability to create and manage GCP users, groups, and roles-each with their own unique set of privileges and defined access to specific resources (such as Compute instances, the GCP Management Console, API, or the command-line interface). Unlike conventional (human) users, IAM roles are potentially assumable by anyone in the organization. They provide users with dynamically created temporary security credentials that expire within a set time period.\\\nIn between the time between when the temporary credentials are issued and when they expire is a period of opportunity, where a user could leverage the temporary credentials to wreak havoc-spin up or remove instances, create new users, elevate privileges, and other malicious activities-throughout the environment.\\\nThis Analytic Story includes searches that will help you monitor your GCP Audit logs logs for evidence of suspicious cross-account activity.  For example, while accessing multiple GCP accounts and roles may be perfectly valid behavior, it may be suspicious when an account requests privileges of an account it has not accessed in the past. After identifying suspicious activities, you can use the provided investigative searches to help you probe more deeply.", "references": ["https://cloud.google.com/iam/docs/understanding-service-accounts"], "tags": {"name": "GCP Cross Account Activity", "analytic_story": "GCP Cross Account Activity", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Email"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - GCP Detect gcploit framework - Rule", "ESCU - GCP Detect accounts with high risk roles by project - Rule", "ESCU - GCP Detect high risk permissions by resource and account - Rule", "ESCU - gcp detect oauth token abuse - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rod Soto", "detections": [{"name": "GCP Detect gcploit framework", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "GCP Detect accounts with high risk roles by project", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "GCP Detect high risk permissions by resource and account", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "gcp detect oauth token abuse", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}]}, {"name": "Graceful Wipe Out Attack", "author": "Teoderick Contreras, Splunk", "date": "2023-06-15", "version": 1, "id": "83b15b3c-6bda-45aa-a3b6-b05c52443f44", "description": "This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the destructive attack or campaign found by \"THE DFIR Report\" that uses Truebot, FlawedGrace and MBR killer malware. This analytic story looks for suspicious dropped files, cobalt strike execution, im-packet execution, registry modification, scripts, persistence, lateral movement, impact, exfiltration and recon.", "narrative": "Graceful Wipe Out Attack is a destructive malware campaign found by \"The DFIR Report\" targeting multiple organizations to collect, exfiltrate and wipe the data of targeted networks. This malicious payload corrupts or wipes Master Boot Records by using an NSIS script after the exfiltration of sensitive information from the targeted host or system.", "references": ["https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/"], "tags": {"name": "Graceful Wipe Out Attack", "analytic_story": "Graceful Wipe Out Attack", "category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN13", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1531", "mitre_attack_technique": "Account Access Removal", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "FIN13", "TA505"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "FIN7", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla", "Volt Typhoon"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1127.001", "mitre_attack_technique": "MSBuild", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1055.002", "mitre_attack_technique": "Portable Executable Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Gorgon Group", "Rocke"]}, {"mitre_attack_id": "T1561.002", "mitre_attack_technique": "Disk Structure Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1561", "mitre_attack_technique": "Disk Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}], "mitre_attack_tactics": ["Collection", "Credential Access", "Defense Evasion", "Discovery", "Execution", "Impact", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Anomalous usage of 7zip - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - CMD Echo Pipe - Escalation - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Deleting Of Net Users - Rule", "ESCU - Detect Regsvr32 Application Control Bypass - Rule", "ESCU - DLLHost with no Command Line Arguments with Network - Rule", "ESCU - Domain Account Discovery With Net App - Rule", "ESCU - Domain Group Discovery With Net - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - GPUpdate with no Command Line Arguments with Network - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Rundll32 with no Command Line Arguments with Network - Rule", "ESCU - SAM Database File Access Attempt - Rule", "ESCU - SearchProtocolHost with no Command Line with Network - Rule", "ESCU - SecretDumps Offline NTDS Dumping Tool - Rule", "ESCU - Services Escalate Exe - Rule", "ESCU - Suspicious DLLHost no Command Line Arguments - Rule", "ESCU - Suspicious GPUpdate no Command Line Arguments - Rule", "ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", "ESCU - Suspicious Rundll32 StartW - Rule", "ESCU - Suspicious SearchProtocolHost no Command Line Arguments - Rule", "ESCU - Windows AdFind Exe - Rule", "ESCU - Windows Process Injection Remote Thread - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Windows Service Stop By Deletion - Rule", "ESCU - Windows Service Stop Via Net  and SC Application - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Anomalous usage of 7zip", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}}, {"name": "Attempt To Stop Security Service", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "CMD Echo Pipe - Escalation", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Cobalt Strike Named Pipes", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Deleting Of Net Users", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Access Removal"}]}}, {"name": "Detect Regsvr32 Application Control Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "DLLHost with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Domain Account Discovery With Net App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Domain Group Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Access Removal"}]}}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "GPUpdate with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}}, {"name": "Remote WMI Command Attempt", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Rundll32 with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "SAM Database File Access Attempt", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "SearchProtocolHost with no Command Line with Network", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "SecretDumps Offline NTDS Dumping Tool", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Services Escalate Exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Suspicious DLLHost no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Suspicious GPUpdate no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Suspicious microsoft workflow compiler rename", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Suspicious msbuild path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}}, {"name": "Suspicious MSBuild Rename", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious Rundll32 no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Suspicious Rundll32 StartW", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Suspicious SearchProtocolHost no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Windows AdFind Exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Windows Process Injection Remote Thread", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Portable Executable Injection"}]}}, {"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}}, {"name": "Windows Service Stop By Deletion", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Windows Service Stop Via Net  and SC Application", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}]}, {"name": "HAFNIUM Group", "author": "Michael Haag, Splunk", "date": "2021-03-03", "version": 1, "id": "beae2ab0-7c3f-11eb-8b63-acde48001122", "description": "HAFNIUM group was identified by Microsoft as exploiting 4 Microsoft Exchange CVEs in the wild - CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.", "narrative": "On Tuesday, March 2, 2021, Microsoft released a set of security patches for its mail server, Microsoft Exchange. These patches respond to a group of vulnerabilities known to impact Exchange 2013, 2016, and 2019. It is important to note that an Exchange 2010 security update has also been issued, though the CVEs do not reference that version as being vulnerable.\\\nWhile the CVEs do not shed much light on the specifics of the vulnerabilities or exploits, the first vulnerability (CVE-2021-26855) has a remote network attack vector that allows the attacker, a group Microsoft named HAFNIUM, to authenticate as the Exchange server. Three additional vulnerabilities (CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) were also identified as part of this activity. When chained together along with CVE-2021-26855 for initial access, the attacker would have complete control over the Exchange server. This includes the ability to run code as SYSTEM and write to any path on the server.\\\nThe following Splunk detections assist with identifying the HAFNIUM groups tradecraft and methodology.", "references": ["https://www.splunk.com/en_us/blog/security/detecting-hafnium-exchange-server-zero-day-activity-in-splunk.html", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day/"], "tags": {"name": "HAFNIUM Group", "analytic_story": "HAFNIUM Group", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}, {"mitre_attack_id": "T1114.002", "mitre_attack_technique": "Remote Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "Chimera", "Dragonfly", "FIN4", "HAFNIUM", "Ke3chang", "Kimsuky", "Leafminer", "Magic Hound"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "Dragonfly", "FIN13", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT", "Wizard Spider"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Volt Typhoon", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Collection", "Command And Control", "Credential Access", "Execution", "Initial Access", "Lateral Movement", "Persistence"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Command And Control", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Email servers sending high volume traffic to hosts - Rule", "ESCU - Dump LSASS via procdump Rename - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - Detect Exchange Web Shell - Rule", "ESCU - Detect New Local Admin account - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Dump LSASS via procdump - Rule", "ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule", "ESCU - Nishang PowershellTCPOneLine - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - W3WP Spawning Shell - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Email servers sending high volume traffic to hosts", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Email Collection"}, {"mitre_attack_technique": "Remote Email Collection"}]}}, {"name": "Dump LSASS via procdump Rename", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}]}}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Detect Exchange Web Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Detect New Local Admin account", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Dump LSASS via procdump", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Malicious PowerShell Process - Execution Policy Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Nishang PowershellTCPOneLine", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Ntdsutil Export NTDS", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}]}, {"name": "Hermetic Wiper", "author": "Teoderick Contreras, Rod Soto, Michael Haag, Splunk", "date": "2022-03-02", "version": 1, "id": "b7511c2e-9a10-11ec-99e3-acde48001122", "description": "This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the destructive malware targeting Ukrainian organizations also known as \"Hermetic Wiper\". This analytic story looks for abuse of Regsvr32, executables written in administrative SMB Share, suspicious processes, disabling of memory crash dump and more.", "narrative": "Hermetic Wiper is destructive malware operation found by Sentinel One targeting multiple organizations in Ukraine. This malicious payload corrupts Master Boot Records, uses signed drivers and manipulates NTFS attributes for file destruction.", "references": ["https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/", "https://www.cisa.gov/uscert/ncas/alerts/aa22-057a"], "tags": {"name": "Hermetic Wiper", "analytic_story": "Hermetic Wiper", "category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1547.014", "mitre_attack_technique": "Active Setup", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1562.006", "mitre_attack_technique": "Indicator Blocking", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1037", "mitre_attack_technique": "Boot or Logon Initialization Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "Rocke"]}, {"mitre_attack_id": "T1037.001", "mitre_attack_technique": "Logon Script (Windows)", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "Cobalt Group"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1546.008", "mitre_attack_technique": "Accessibility Features", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT3", "APT41", "Axiom", "Deep Panda", "Fox Kitten"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1021.006", "mitre_attack_technique": "Windows Remote Management", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Chimera", "FIN13", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1218.014", "mitre_attack_technique": "MMC", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1027.005", "mitre_attack_technique": "Indicator Removal from Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT3", "Deep Panda", "GALLIUM", "OilRig", "Patchwork", "TEMP.Veles", "Turla"]}, {"mitre_attack_id": "T1546.015", "mitre_attack_technique": "Component Object Model Hijacking", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1547.012", "mitre_attack_technique": "Print Processors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1546.012", "mitre_attack_technique": "Image File Execution Options Injection", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["TEMP.Veles"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1134.001", "mitre_attack_technique": "Token Impersonation/Theft", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "FIN8"]}, {"mitre_attack_id": "T1546.002", "mitre_attack_technique": "Screensaver", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1547.003", "mitre_attack_technique": "Time Providers", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1561.002", "mitre_attack_technique": "Disk Structure Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1561", "mitre_attack_technique": "Disk Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Defense Evasion", "Execution", "Impact", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Email", "Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - Email Attachments With Lots Of Spaces - Rule", "ESCU - Suspicious Email Attachment Extensions - Rule", "ESCU - Suspicious Powershell Command-Line Arguments - Rule", "ESCU - Uncommon Processes On Endpoint - Rule", "ESCU - Active Setup Registry Autostart - Rule", "ESCU - Any Powershell DownloadFile - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - Change Default File Association - Rule", "ESCU - Child Processes of Spoolsv exe - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Detect Empire with PowerShell Script Block Logging - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Kerberoasting spn request with RC4 encryption - Rule", "ESCU - Linux Java Spawning Shell - Rule", "ESCU - Logon Script Event Trigger Execution - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Malicious PowerShell Process With Obfuscation Techniques - Rule", "ESCU - MSI Module Loaded by Non-System Binary - Rule", "ESCU - Overwriting Accessibility Binaries - Rule", "ESCU - Possible Lateral Movement PowerShell Spawn - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - PowerShell Domain Enumeration - Rule", "ESCU - Powershell Enable SMB1Protocol Feature - Rule", "ESCU - Powershell Execute COM Object - Rule", "ESCU - Powershell Fileless Process Injection via GetProcAddress - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Powershell Processing Stream Of Data - Rule", "ESCU - Powershell Using memory As Backing Store - Rule", "ESCU - Print Processor Registry Autostart - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Runas Execution in CommandLine - Rule", "ESCU - Screensaver Event Trigger Execution - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Time Provider Persistence Registry - Rule", "ESCU - Unloading AMSI via Reflection - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows Disable Memory Crash Dump - Rule", "ESCU - Windows File Without Extension In Critical Folder - Rule", "ESCU - Windows Modify Show Compress Color And Info Tip Registry - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - WMI Recon Running Process Or Services - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto, Michael Haag, Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Email Attachments With Lots Of Spaces", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Suspicious Email Attachment Extensions", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Suspicious Powershell Command-Line Arguments", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}]}}, {"name": "Uncommon Processes On Endpoint", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Malicious File"}]}}, {"name": "Active Setup Registry Autostart", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Active Setup"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Change Default File Association", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Change Default File Association"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Child Processes of Spoolsv exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Detect Empire with PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "ETW Registry Disabled", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Blocking"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Kerberoasting spn request with RC4 encryption", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "Linux Java Spawning Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Logon Script Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Boot or Logon Initialization Scripts"}, {"mitre_attack_technique": "Logon Script (Windows)"}]}}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}}, {"name": "Malicious PowerShell Process With Obfuscation Techniques", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "MSI Module Loaded by Non-System Binary", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Overwriting Accessibility Binaries", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Accessibility Features"}]}}, {"name": "Possible Lateral Movement PowerShell Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Remote Management"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "MMC"}]}}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "PowerShell Domain Enumeration", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Enable SMB1Protocol Feature", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "Indicator Removal from Tools"}]}}, {"name": "Powershell Execute COM Object", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Component Object Model Hijacking"}, {"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Fileless Process Injection via GetProcAddress", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Processing Stream Of Data", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Using memory As Backing Store", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Print Processor Registry Autostart", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}]}}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Registry Keys Used For Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Image File Execution Options Injection"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Runas Execution in CommandLine", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Access Token Manipulation"}, {"mitre_attack_technique": "Token Impersonation/Theft"}]}}, {"name": "Screensaver Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Screensaver"}]}}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Time Provider Persistence Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Time Providers"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Unloading AMSI via Reflection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}, {"name": "Windows Disable Memory Crash Dump", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Windows File Without Extension In Critical Folder", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Windows Modify Show Compress Color And Info Tip Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}}, {"name": "WMI Recon Running Process Or Services", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}]}}]}, {"name": "Hidden Cobra Malware", "author": "Rico Valdez, Splunk", "date": "2020-01-22", "version": 2, "id": "baf7580b-d4b4-4774-8173-7d198e9da335", "description": "Monitor for and investigate activities, including the creation or deletion of hidden shares and file writes, that may be evidence of infiltration by North Korean government-sponsored cybercriminals. Details of this activity were reported in DHS Report TA-18-149A.", "narrative": "North Korea's government-sponsored \"cyber army\" has been slowly building momentum and gaining sophistication over the last 15 years or so. As a result, the group's activity, which the US government refers to as \"Hidden Cobra,\" has surreptitiously crept onto the collective radar as a preeminent global threat.\\\nThese state-sponsored actors are thought to be responsible for everything from a hack on a South Korean nuclear plant to an attack on Sony in anticipation of its release of the movie \"The Interview\" at the end of 2014. They're also notorious for cyberespionage. In recent years, the group seems to be focused on financial crimes, such as cryptojacking.\\\nIn June of 2018, The Department of Homeland Security, together with the FBI and other U.S. government partners, issued Technical Alert (TA-18-149A) to advise the public about two variants of North Korean malware. One variant, dubbed \"Joanap,\" is a multi-stage peer-to-peer botnet that allows North Korean state actors to exfiltrate data, download and execute secondary payloads, and initialize proxy communications. The other variant, \"Brambul,\" is a Windows32 SMB worm that is dropped into a victim network. When executed, the malware attempts to spread laterally within a victim's local subnet, connecting via the SMB protocol and initiating brute-force password attacks. It reports details to the Hidden Cobra actors via email, so they can use the information for secondary remote operations.\\\nAmong other searches in this Analytic Story is a detection search that looks for the creation or deletion of hidden shares, such as, \"adnim$,\" which the Hidden Cobra malware creates on the target system. Another looks for the creation of three malicious files associated with the malware. You can also use a search in this story to investigate activity that indicates that malware is sending email back to the attackers.", "references": ["https://web.archive.org/web/20191220004307/https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity", "https://web.archive.org/web/20220421112536/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf"], "tags": {"name": "Hidden Cobra Malware", "analytic_story": "Hidden Cobra Malware", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1070.005", "mitre_attack_technique": "Network Share Connection Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Threat Group-3390"]}, {"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1071.002", "mitre_attack_technique": "File Transfer Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Dragonfly", "Kimsuky", "SilverTerrier"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Magic Hound", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1071.004", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT39", "APT41", "Chimera", "Cobalt Group", "FIN7", "Ke3chang", "LazyScripter", "OilRig", "Tropic Trooper"]}, {"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}], "mitre_attack_tactics": ["Command And Control", "Defense Evasion", "Execution", "Exfiltration", "Lateral Movement"], "datamodels": ["Endpoint", "Network_Resolution", "Network_Traffic"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Exploitation", "Installation"]}, "detection_names": ["ESCU - First time seen command line argument - Rule", "ESCU - Suspicious File Write - Rule", "ESCU - Create or delete windows shares using net exe - Rule", "ESCU - Remote Desktop Process Running On System - Rule", "ESCU - Detect Outbound SMB Traffic - Rule", "ESCU - DNS Query Length Outliers - MLTK - Rule", "ESCU - DNS Query Length With High Standard Deviation - Rule", "ESCU - Remote Desktop Network Traffic - Rule", "ESCU - SMB Traffic Spike - Rule", "ESCU - SMB Traffic Spike - MLTK - Rule"], "investigation_names": ["ESCU - Get DNS Server History for a host - Response Task", "ESCU - Get DNS traffic ratio - Response Task", "ESCU - Get History Of Email Sources - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Outbound Emails to Hidden Cobra Threat Actors - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Process Information For Port Activity - Response Task", "ESCU - Get Process Responsible For The DNS Traffic - Response Task", "ESCU - Investigate Successful Remote Desktop Authentications - Response Task"], "baseline_names": ["ESCU - Baseline of DNS Query Length - MLTK", "ESCU - Baseline of SMB Traffic - MLTK", "ESCU - Identify Systems Creating Remote Desktop Traffic", "ESCU - Identify Systems Receiving Remote Desktop Traffic", "ESCU - Identify Systems Using Remote Desktop", "ESCU - Previously seen command line arguments"], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "First time seen command line argument", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Windows Command Shell"}]}}, {"name": "Suspicious File Write", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Create or delete windows shares using net exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Network Share Connection Removal"}]}}, {"name": "Remote Desktop Process Running On System", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "Detect Outbound SMB Traffic", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File Transfer Protocols"}, {"mitre_attack_technique": "Application Layer Protocol"}]}}, {"name": "DNS Query Length Outliers - MLTK", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DNS"}, {"mitre_attack_technique": "Application Layer Protocol"}]}}, {"name": "DNS Query Length With High Standard Deviation", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Remote Desktop Network Traffic", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "SMB Traffic Spike", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "SMB Traffic Spike - MLTK", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Remote Services"}]}}]}, {"name": "IIS Components", "author": "Michael Haag, Splunk", "date": "2022-12-19", "version": 1, "id": "0fbde550-8252-43ab-a26a-03976f55b58b", "description": "Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence.", "narrative": "IIS provides several mechanisms to extend the functionality of the web servers. For example, Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. Extensions and filters are deployed as DLL files that export three functions - Get{Extension/Filter}Version, Http{Extension/Filter}Proc, and (optionally) Terminate{Extension/Filter}. IIS modules may also be installed to extend IIS web servers.\\\nAdversaries may install malicious ISAPI extensions and filters to observe and/or modify traffic, execute commands on compromised machines, or proxy command and control traffic. ISAPI extensions and filters may have access to all IIS web requests and responses. For example, an adversary may abuse these mechanisms to modify HTTP responses in order to distribute malicious commands/content to previously comprised hosts.\\\nAdversaries may also install malicious IIS modules to observe and/or modify traffic. IIS 7.0 introduced modules that provide the same unrestricted access to HTTP requests and responses as ISAPI extensions and filters. IIS modules can be written as a DLL that exports RegisterModule, or as a .NET application that interfaces with ASP.NET APIs to access IIS HTTP requests. (reference MITRE)", "references": ["https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", "https://attack.mitre.org/techniques/T1505/004/", "https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework-1.pdf", "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://www.secureworks.com/research/bronze-union", "https://strontic.github.io/xcyclopedia/library/appcmd.exe-055B2B09409F980BF9B5A3969D01E5B2.html"], "tags": {"name": "IIS Components", "analytic_story": "IIS Components", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.002", "mitre_attack_technique": "Disable Windows Event Logging", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound", "Threat Group-3390"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1505.004", "mitre_attack_technique": "IIS Components", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "datamodels": ["Endpoint", "Web"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Windows Disable Windows Event Logging Disable HTTP Logging - Rule", "ESCU - Windows IIS Components Add New Module - Rule", "ESCU - Windows IIS Components Get-WebGlobalModule Module Query - Rule", "ESCU - Windows IIS Components Module Failed to Load - Rule", "ESCU - Windows IIS Components New Module Added - Rule", "ESCU - Windows PowerShell Add Module to Global Assembly Cache - Rule", "ESCU - Windows PowerShell Disable HTTP Logging - Rule", "ESCU - Windows PowerShell IIS Components WebGlobalModule Usage - Rule", "ESCU - Windows Server Software Component GACUtil Install to GAC - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Disable Windows Event Logging Disable HTTP Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable Windows Event Logging"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}}, {"name": "Windows IIS Components Add New Module", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}}, {"name": "Windows IIS Components Get-WebGlobalModule Module Query", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "IIS Components"}, {"mitre_attack_technique": "Server Software Component"}]}}, {"name": "Windows IIS Components Module Failed to Load", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}}, {"name": "Windows IIS Components New Module Added", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}}, {"name": "Windows PowerShell Add Module to Global Assembly Cache", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}}, {"name": "Windows PowerShell Disable HTTP Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Disable Windows Event Logging"}, {"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}}, {"name": "Windows PowerShell IIS Components WebGlobalModule Usage", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}}, {"name": "Windows Server Software Component GACUtil Install to GAC", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}}]}, {"name": "Industroyer2", "author": "Teoderick Contreras, Splunk", "date": "2022-04-21", "version": 1, "id": "7ff7db2b-b001-498e-8fe8-caf2dbc3428a", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Industroyer2 attack, including file writes associated with its payload, lateral movement, persistence, privilege escalation and data destruction.", "narrative": "Industroyer2 is part of continuous attack to ukraine targeting energy facilities. This malware is a windows binary that implement IEC-104 protocol to communicate with industrial equipments. This attack consist of several destructive linux script component to wipe or delete several linux critical files, powershell for domain enumeration and caddywiper to wipe boot sector of the targeted host.", "references": ["https://cert.gov.ua/article/39518", "https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/"], "tags": {"name": "Industroyer2", "analytic_story": "Industroyer2", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1053.003", "mitre_attack_technique": "Cron", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT38", "Rocke"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TEMP.Veles", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "TEMP.Veles", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Discovery", "Execution", "Impact", "Lateral Movement", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - AdsiSearcher Account Discovery - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux DD File Overwrite - Rule", "ESCU - Linux Deleting Critical Directory Using RM Command - Rule", "ESCU - Linux Disable Services - Rule", "ESCU - Linux High Frequency Of File Deletion In Boot Folder - Rule", "ESCU - Linux Shred Overwrite Command - Rule", "ESCU - Linux Stdout Redirection To Dev Null File - Rule", "ESCU - Linux Stop Services - Rule", "ESCU - Linux System Network Discovery - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Hidden Schedule Task Settings - Rule", "ESCU - Windows Linked Policies In ADSI Discovery - Rule", "ESCU - Windows Processes Killed By Industroyer2 Malware - Rule", "ESCU - Windows Root Domain linked policies Discovery - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "AdsiSearcher Account Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Attempted Credential Dump From Registry via Reg exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux DD File Overwrite", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Linux Deleting Critical Directory Using RM Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Linux Disable Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Linux High Frequency Of File Deletion In Boot Folder", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Linux Shred Overwrite Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Linux Stdout Redirection To Dev Null File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Linux Stop Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Linux System Network Discovery", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Configuration Discovery"}]}}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Schtasks Run Task On Demand", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Windows Hidden Schedule Task Settings", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Windows Linked Policies In ADSI Discovery", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Windows Processes Killed By Industroyer2 Malware", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Windows Root Domain linked policies Discovery", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}]}, {"name": "Information Sabotage", "author": "Teoderick Contreras, Splunk", "date": "2021-11-17", "version": 1, "id": "b71ba595-ef80-4e39-8b66-887578a7a71b", "description": "Leverage searches that allow you to detect and investigate unusual activities that might correlate to insider threat specially in terms of information sabotage.", "narrative": "Information sabotage is the type of crime many people associate with insider threat. Where the current or former employees, contractors, or business partners intentionally exceeded or misused an authorized level of access to networks, systems, or data with the intention of harming a specific individual, the organization, or the organization's data, systems, and/or daily business operations.", "references": ["https://insights.sei.cmu.edu/blog/insider-threat-deep-dive-it-sabotage/"], "tags": {"name": "Information Sabotage", "analytic_story": "Information Sabotage", "category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud", "Splunk Behavioral Analytics"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1537", "mitre_attack_technique": "Transfer Data to Cloud Account", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Exfiltration"], "datamodels": [], "kill_chain_phases": ["Actions on Objectives"]}, "detection_names": ["ESCU - High Frequency Copy Of Files In Network Share - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "High Frequency Copy Of Files In Network Share", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}}]}, {"name": "Ingress Tool Transfer", "author": "Michael Haag, Splunk", "date": "2021-03-24", "version": 1, "id": "b3782036-8cbd-11eb-9d8e-acde48001122", "description": "Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the Command And Control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP.", "narrative": "Ingress tool transfer is a Technique under tactic Command And Control. Behaviors will include the use of living off the land binaries to download implants or binaries over alternate communication ports. It is imperative to baseline applications on endpoints to understand what generates network activity, to where, and what is its native behavior. These utilities, when abused, will write files to disk in world writeable paths.\\ During triage, review the reputation of the remote public destination IP or domain. Capture any files written to disk and perform analysis. Review other parrallel processes for additional behaviors.", "references": ["https://attack.mitre.org/techniques/T1105/"], "tags": {"name": "Ingress Tool Transfer", "analytic_story": "Ingress Tool Transfer", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1197", "mitre_attack_technique": "BITS Jobs", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["APT39", "APT41", "Leviathan", "Patchwork", "Wizard Spider"]}, {"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "MoustachedBouncer", "POLONIUM", "Sandworm Team", "Turla", "Volt Typhoon", "Windigo"]}, {"mitre_attack_id": "T1095", "mitre_attack_technique": "Non-Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT3", "BITTER", "BackdoorDiplomacy", "FIN6", "HAFNIUM", "Metador", "PLATINUM"]}], "mitre_attack_tactics": ["Collection", "Command And Control", "Credential Access", "Defense Evasion", "Execution", "Persistence"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command And Control", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Any Powershell DownloadFile - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - BITSAdmin Download File - Rule", "ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - CertUtil Download With VerifyCtl and Split Arguments - Rule", "ESCU - Curl Download and Bash Execution - Rule", "ESCU - Detect Certify Command Line Arguments - Rule", "ESCU - Detect Certipy File Modifications - Rule", "ESCU - Linux Curl Upload File - Rule", "ESCU - Linux Ingress Tool Transfer Hunting - Rule", "ESCU - Linux Ingress Tool Transfer with Curl - Rule", "ESCU - Linux Proxy Socks Curl - Rule", "ESCU - Suspicious Curl Network Connection - Rule", "ESCU - Wget Download and Bash Execution - Rule", "ESCU - Windows Curl Download to Suspicious Path - Rule", "ESCU - Windows Curl Upload to Remote Destination - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "BITSAdmin Download File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "BITS Jobs"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "CertUtil Download With VerifyCtl and Split Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Curl Download and Bash Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Detect Certify Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Detect Certipy File Modifications", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}, {"mitre_attack_technique": "Archive Collected Data"}]}}, {"name": "Linux Curl Upload File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Linux Ingress Tool Transfer Hunting", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Linux Ingress Tool Transfer with Curl", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Linux Proxy Socks Curl", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Non-Application Layer Protocol"}]}}, {"name": "Suspicious Curl Network Connection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Wget Download and Bash Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Windows Curl Download to Suspicious Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Windows Curl Upload to Remote Destination", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}]}, {"name": "Insider Threat", "author": "Jose Hernandez, Splunk", "date": "2022-05-19", "version": 1, "id": "c633df29-a950-4c4c-a0f8-02be6730797c", "description": "Monitor for activities and techniques associated with insider threats and specifically focusing on malicious insiders operating with in a corporate environment.", "narrative": "Insider Threats are best defined by CISA: \"Insider threat incidents are possible in any sector or organization. An insider threat is typically a current or former employee, third-party contractor, or business partner. In their present or former role, the person has or had access to an organization's network systems, data, or premises, and uses their access (sometimes unwittingly). To combat the insider threat, organizations can implement a proactive, prevention-focused mitigation program to detect and identify threats, assess risk, and manage that risk - before an incident occurs.\" An insider is any person who has or had authorized access to or knowledge of an organization's resources, including personnel, facilities, information, equipment, networks, and systems. These are the common insiders that create insider threats: Departing Employees, Security Evaders, Malicious Insiders, and Negligent Employees. This story aims at detecting the malicious insider.", "references": ["https://www.imperva.com/learn/application-security/insider-threats/", "https://www.cisa.gov/defining-insider-threats", "https://www.code42.com/glossary/types-of-insider-threats/", "https://github.com/Insider-Threat/Insider-Threat", "https://ctid.mitre-engenuity.org/our-work/insider-ttp-kb/"], "tags": {"name": "Insider Threat", "analytic_story": "Insider Threat", "category": ["Adversary Tactics", "Account Compromise", "Lateral Movement", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud", "Splunk Behavioral Analytics"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1567.002", "mitre_attack_technique": "Exfiltration to Cloud Storage", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["Chimera", "Confucius", "Earth Lusca", "FIN7", "HAFNIUM", "HEXANE", "Kimsuky", "Leviathan", "LuminousMoth", "POLONIUM", "Threat Group-3390", "Turla", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1567", "mitre_attack_technique": "Exfiltration Over Web Service", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT28", "Magic Hound"]}, {"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1537", "mitre_attack_technique": "Transfer Data to Cloud Account", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1078.003", "mitre_attack_technique": "Local Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "FIN10", "HAFNIUM", "Kimsuky", "PROMETHIUM", "Tropic Trooper", "Turla"]}, {"mitre_attack_id": "T1552.001", "mitre_attack_technique": "Credentials In Files", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "FIN13", "Fox Kitten", "Kimsuky", "Leafminer", "MuddyWater", "OilRig", "TA505", "TeamTNT"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1219", "mitre_attack_technique": "Remote Access Software", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Carbanak", "Cobalt Group", "DarkVishnya", "Evilnum", "FIN7", "GOLD SOUTHFIELD", "Kimsuky", "MuddyWater", "Mustang Panda", "RTM", "Sandworm Team", "TeamTNT", "Thrip"]}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Defense Evasion", "Exfiltration", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Authentication", "Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Gsuite Drive Share In External Email - Rule", "ESCU - Gsuite Outbound Email With Attachment To External Domain - Rule", "ESCU - High Frequency Copy Of Files In Network Share - Rule", "ESCU - Potential password in username - Rule", "ESCU - Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials - Rule", "ESCU - Windows Multiple Users Failed To Authenticate From Process - Rule", "ESCU - Windows Remote Access Software Hunt - Rule", "ESCU - Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials - Rule", "ESCU - Windows Unusual Count Of Users Failed To Authenticate From Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Jose Hernandez", "detections": [{"name": "Gsuite Drive Share In External Email", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration to Cloud Storage"}, {"mitre_attack_technique": "Exfiltration Over Web Service"}]}}, {"name": "Gsuite Outbound Email With Attachment To External Domain", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "High Frequency Copy Of Files In Network Share", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}}, {"name": "Potential password in username", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Local Accounts"}, {"mitre_attack_technique": "Credentials In Files"}]}}, {"name": "Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Users Failed To Authenticate From Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Remote Access Software Hunt", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Access Software"}]}}, {"name": "Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Users Failed To Authenticate From Process", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}]}, {"name": "Ivanti EPMM Remote Unauthenticated Access", "author": "Michael Haag, Splunk", "date": "2023-08-08", "version": 2, "id": "7e36ca54-c096-4a39-b724-6fc935164f0c", "description": "Ivanti, a leading technology company, has disclosed two critical zero-day vulnerabilities in its Endpoint Manager Mobile (EPMM) product, CVE-2023-35078 and CVE-2023-35081. A recent update concerning CVE-2023-35082, closely related to CVE-2023-35078, reveals its impact on more versions of Ivanti's software than initially believed. The former allows unauthenticated attackers to obtain sensitive data, modify servers, and access the API, potentially leading to data breaches or malicious system modifications. Meanwhile, CVE-2023-35081 lets authenticated administrators remotely write arbitrary files to the server. Both vulnerabilities have been exploited in targeted attacks against government ministries and could be used in conjunction. With the presence of PoC code for CVE-2023-35078, the risk of broader exploitation has increased. While initially leveraged in limited attacks, the exploitation is expected to rise, possibly involving state-sponsored actors. Organizations are urged to apply immediate patches and conduct regular system assessments to ensure security.", "narrative": "Ivantis Endpoint Manager Mobile (EPMM) product, formerly known as MobileIron Core and extensively utilized by IT teams to manage mobile devices, applications, and content, has been found to harbor several critical vulnerabilities. Specifically, CVE-2023-35078 allows remote unauthenticated attackers to access sensitive data and make changes to servers. This flaw has been leveraged in targeted attacks against Norwegian government ministries. In addition, CVE-2023-35081 permits an authenticated attacker with administrative privileges to remotely write arbitrary files to the server. \\\nRecently, attention has shifted to CVE-2023-35082, which was initially believed to affect only MobileIron Core 11.2 and below. Subsequent investigations revealed its wider influence, affecting EPMM versions 11.10, 11.9, 11.8, and MobileIron Core 11.7 and earlier. This vulnerability facilitates unauthorized access to the API via the URI path /mifs/asfV3/api/v2/. \\\nWhen combined, these vulnerabilities can be exploited to bypass administrative authentication and access control list (ACL) restrictions, leading to malicious file writing and potential OS command execution. Both have been actively exploited, possibly by state-sponsored actors, prompting urgent advisories from Ivanti and Rapid7, alongside CISA. Given the thousands of potentially vulnerable internet-exposed systems and the presence of PoC code for CVE-2023-35078, the risk of extensive exploitation escalates. The situation is further muddled by Ivanti's 2020 acquisition of MobileIron, which had its known issues. Collectively, these vulnerabilities present a significant risk to organizations utilizing Ivanti's EPMM, emphasizing the need for swift patching, vigilant monitoring, and timely application of fixes to counteract potential threats.", "references": ["https://www.securityweek.com/second-ivanti-epmm-zero-day-vulnerability-exploited-in-targeted-attacks/", "https://www.cisa.gov/news-events/alerts/2023/07/28/ivanti-releases-security-updates-epmm-address-cve-2023-35081", "https://nvd.nist.gov/vuln/detail/CVE-2023-35078", "https://forums.ivanti.com/s/article/CVE-2023-35078-Remote-unauthenticated-API-access-vulnerability?language=en_US"], "tags": {"name": "Ivanti EPMM Remote Unauthenticated Access", "analytic_story": "Ivanti EPMM Remote Unauthenticated Access", "category": ["Vulnerability", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}], "mitre_attack_tactics": ["Initial Access", "Persistence"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery", "Installation"]}, "detection_names": ["ESCU - Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078 - Rule", "ESCU - Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082 - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}]}, {"name": "Ivanti Sentry Authentication Bypass CVE-2023-38035", "author": "Michael Haag, Splunk", "date": "2023-08-24", "version": 1, "id": "da229be2-4637-47a5-b551-1d4b64f411c6", "description": "A critical vulnerability, designated as CVE-2023-38035, has been identified in Ivanti Sentry (formerly MobileIron Sentry). It affects all supported versions, including 9.18, 9.17, and 9.16, as well as older versions. The vulnerability allows an unauthenticated attacker to access the System Manager Portal (typically hosted on port 8443) and make configuration changes, potentially executing OS commands as root. However, the risk is low for users who haven't exposed port 8443 online. This flaw is distinct from other Ivanti products. It's imperative for organizations to check for unrecognized HTTP requests to /services/* as a potential indicator of compromise.", "narrative": "CVE-2023-38035 presents a significant security risk in the Ivanti Sentry administration interface. The vulnerability was identified shortly after another notable vulnerability in Ivanti EPMM (CVE-2023-35078) was discovered being exploited in the wild. The current vulnerability allows a malicious actor, without requiring authentication, to access the System Manager Portal, typically hosted on port 8443. Upon successful exploitation, the attacker can make configuration alterations to both the Sentry system and its underlying OS. The potential damage is significant, enabling the attacker to execute commands on the system with root privileges. \\\nWhile this vulnerability scored high on the CVSS scale, its risk is relatively mitigated for clients who have not exposed port 8443 to the internet. The primary exploitation vector is the System Manager Portal, an administrative interface for Sentry. \\\nAs of now, definitive indicators of compromise (IoCs) are elusive. However, any unexpected HTTP requests to the endpoint /services/* could be a red flag. It's worth noting that the exploited endpoint might not be the sole vulnerable point, suggesting other potential gateways for attackers. Ivanti Sentry's system doesn't provide a typical Unix shell, but in the event of a known system breach, the /var/log/tomcat2/ directory contains access logs that may reveal accessed endpoints. Additionally, web interface logs may provide insights into suspicious activities and should be monitored closely.", "references": ["https://github.com/horizon3ai/CVE-2023-38035/blob/main/CVE-2023-38035.py", "https://www.horizon3.ai/ivanti-sentry-authentication-bypass-cve-2023-38035-deep-dive/", "https://forums.ivanti.com/s/article/KB-API-Authentication-Bypass-on-Sentry-Administrator-Interface-CVE-2023-38035?language=en_US"], "tags": {"name": "Ivanti Sentry Authentication Bypass CVE-2023-38035", "analytic_story": "Ivanti Sentry Authentication Bypass CVE-2023-38035", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - Ivanti Sentry Authentication Bypass - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Ivanti Sentry Authentication Bypass", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}]}, {"name": "JBoss Vulnerability", "author": "Bhavin Patel, Splunk", "date": "2017-09-14", "version": 1, "id": "1f5294cb-b85f-4c2d-9c58-ffcf248f52bd", "description": "In March of 2016, adversaries were seen using JexBoss--an open-source utility used for testing and exploiting JBoss application servers. These searches help detect evidence of these attacks, such as network connections to external resources or web services spawning atypical child processes, among others.", "narrative": "This Analytic Story looks for probing and exploitation attempts targeting JBoss application servers. While the vulnerabilities associated with this story are rather dated, they were leveraged in a spring 2016 campaign in connection with the Samsam ransomware variant. Incidents involving this ransomware are unique, in that they begin with attacks against vulnerable services, rather than the phishing or drive-by attacks more common with ransomware. In this case, vulnerable JBoss applications appear to be the target of choice.\\\nIt is helpful to understand how often a notable event generated by this story occurs, as well as the commonalities between some of these events, both of which may provide clues about whether this is a common occurrence of minimal concern or a rare event that may require more extensive investigation. It may also help to understand whether the issue is restricted to a single user/system or whether it is broader in scope.\\\nWhen looking at the target of the behavior uncovered by the event, you should note the sensitivity of the user and or/system to help determine the potential impact. It is also helpful to identify other recent events involving the target. This can help tie different events together and give further situational awareness regarding the target host.\\\nVarious types of information for external systems should be reviewed and, potentially, collected if the incident is, indeed, judged to be malicious. This data may be useful for generating your own threat intelligence, so you can create future alerts.\\\nThe following factors may assist you in determining whether the event is malicious: \\\n1. Country of origin\\\n1. Responsible party\\\n1. Fully qualified domain names associated with the external IP address\\\n1. Registration of fully qualified domain names associated with external IP address Determining whether it is a dynamic domain frequently visited by others and/or how third parties categorize it can also help you qualify and understand the event and possible motivation for the attack. In addition, there are various sources that may provide reputation information on the IP address or domain name, which can assist you in determining whether the event is malicious in nature. Finally, determining whether there are other events associated with the IP address may help connect data points or expose other historic events that might be brought back into scope.\\\nGathering various data on the system of interest can sometimes help quickly determine whether something suspicious is happening. Some of these items include determining who else may have logged into the system recently, whether any unusual scheduled tasks exist, whether the system is communicating on suspicious ports, whether there are modifications to sensitive registry keys, and/or whether there are any known vulnerabilities on the system. This information can often highlight other activity commonly seen in attack scenarios or give more information about how the system may have been targeted.\\\nhen a specific service or application is targeted, it is often helpful to know the associated version, to help determine whether it is vulnerable to a specific exploit.\\\nIf you suspect an attack targeting a web server, it is helpful to look at some of the behavior of the web service to see if there is evidence that the service has been compromised. Some indications of this might be network connections to external resources, the web service spawning child processes that are not associated with typical behavior, and whether the service wrote any files that might be malicious in nature.\\\nIf a suspicious file is found, we can review more information about it to help determine if it is, in fact, malicious. Identifying the file type, any processes that opened the file, the processes that may have created and/or modified the file, and how many other systems potentially have this file can you determine whether the file is malicious. Also, determining the file hash and checking it against reputation sources, such as VirusTotal, can sometimes help you quickly determine if it is malicious in nature.\\\nOften, a simple inspection of a suspect process name and path can tell you if the system has been compromised. For example, if svchost.exe is found running from a location other than `C:\\Windows\\System32`, it is likely something malicious designed to hide in plain sight when simply reviewing process names. \\\nIt can also be helpful to examine various behaviors of and the parent of the process of interest. For example, if it turns out the process of interest is malicious, it would be good to see whether the parent process spawned other processes that might also warrant further scrutiny. If a process is suspect, a review of the network connections made around the time of the event and noting whether the process has spawned any child processes could be helpful in determining whether it is malicious or executing a malicious script.", "references": ["http://www.deependresearch.org/2016/04/jboss-exploits-view-from-victim.html"], "tags": {"name": "JBoss Vulnerability", "analytic_story": "JBoss Vulnerability", "category": ["Vulnerability"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "FIN13", "FIN8", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TA2541", "TeamTNT", "Tropic Trooper", "Turla", "Volt Typhoon", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}], "mitre_attack_tactics": ["Discovery", "Initial Access", "Persistence"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Detect attackers scanning for vulnerable JBoss servers - Rule", "ESCU - Detect malicious requests to exploit JBoss servers - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect attackers scanning for vulnerable JBoss servers", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Information Discovery"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Detect malicious requests to exploit JBoss servers", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "JetBrains TeamCity Unauthenticated RCE", "author": "Michael Haag, Splunk", "date": "2023-10-01", "version": 1, "id": "7ef2d230-9dbb-4d13-9263-a7d8c3aad9bf", "description": "A critical security vulnerability, CVE-2023-42793, has been discovered affecting all versions of TeamCity On-Premises up to 2023.05.3. This vulnerability allows unauthenticated attackers to execute remote code and gain administrative control of the TeamCity server, posing a significant risk for supply chain attacks. Although the issue has been fixed in version 2023.05.4, servers running older versions remain at risk. A security patch plugin has been released for immediate mitigation, applicable to TeamCity versions 8.0 and above. Organizations are strongly advised to update to the fixed version or apply the security patch, especially if their TeamCity server is publicly accessible. No impact has been reported on TeamCity Cloud as it has been upgraded to the secure version.", "narrative": "The CVE-2023-42793 vulnerability in TeamCity On-Premises allows an unauthenticated attacker to bypass authentication and gain administrative access through Remote Code Execution (RCE). Specifically, the attacker can send a malicious POST request to /app/rest/users/id:1/tokens/RPC2 to create an administrative token. Once the token is obtained, the attacker has the ability to perform various unauthorized activities, including creating new admin users and executing arbitrary shell commands on the server. \\ For Splunk Security Content, the focus should be on identifying suspicious POST requests to /app/rest/users/id:1/tokens/RPC2 and other affected API endpoints, as this is the initial point of exploitation. Monitoring logs for changes to the internal.properties file or the creation of new admin users could also provide crucial indicators of compromise. Furthermore, Splunk can be configured to alert on multiple failed login attempts followed by a successful login from the same IP, which could indicate exploitation attempts.", "references": ["https://blog.jetbrains.com/teamcity/2023/09/critical-security-issue-affecting-teamcity-on-premises-update-to-2023-05-4-now/", "https://www.sonarsource.com/blog/teamcity-vulnerability/", "https://github.com/rapid7/metasploit-framework/pull/18408", "https://attackerkb.com/topics/1XEEEkGHzt/cve-2023-42793/rapid7-analysis"], "tags": {"name": "JetBrains TeamCity Unauthenticated RCE", "analytic_story": "JetBrains TeamCity Unauthenticated RCE", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - JetBrains TeamCity RCE Attempt - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "JetBrains TeamCity RCE Attempt", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}]}, {"name": "Juniper JunOS Remote Code Execution", "author": "Michael Haag, Splunk", "date": "2023-08-29", "version": 1, "id": "3fcef843-c97e-4cf3-a72f-749be480cee3", "description": "Juniper Networks has resolved multiple critical vulnerabilities in the J-Web component of Junos OS on SRX and EX Series devices. These vulnerabilities, when chained together, could allow an unauthenticated, network-based attacker to remotely execute code on the devices. The vulnerabilities affect all versions of Junos OS on SRX and EX Series, but specific fixes have been released to address each vulnerability. Juniper Networks recommends applying the necessary fixes to mitigate potential remote code execution threats. As a workaround, users can disable J-Web or limit access to only trusted hosts. Proof-of-concept (PoC) exploit code has been released, demonstrating the severity of these flaws and the urgency to apply the fixes.", "narrative": "Juniper Networks, a networking hardware company, has released an \"out-of-cycle\" security update to address multiple flaws in the J-Web component of Junos OS that could be combined to achieve remote code execution on susceptible installations. The flaws have a cumulative CVSS rating of 9.8, making them critical in severity. They affect all versions of Junos OS on SRX and EX Series. The J-Web interface allows users to configure, manage, and monitor Junos OS devices. The vulnerabilities include two PHP external variable modification vulnerabilities (CVE-2023-36844 and CVE-2023-36845) and two missing authentications for critical function vulnerabilities (CVE-2023-36846 and CVE-2023-36847). These vulnerabilities could allow an unauthenticated, network-based attacker to control certain important environment variables, cause limited impact to the file system integrity, or upload arbitrary files via J-Web without any authentication. \\\nThe vulnerabilities have been addressed in specific Junos OS versions for EX Series and SRX Series devices. Users are recommended to apply the necessary fixes to mitigate potential remote code execution threats. As a workaround, Juniper Networks suggests disabling J-Web or limiting access to only trusted hosts. \\\nAdditionally, a PoC exploit has been released by watchTowr, combining CVE-2023-36846 and CVE-2023-36845 to upload a PHP file containing malicious shellcode and achieve code execution by injecting the PHPRC environment variable to point to a configuration file to load the booby-trapped PHP script. WatchTowr noted that this is an interesting bug chain, utilizing two bugs that would be near-useless in isolation and combining them for a \"world-ending\" unauthenticated remote code execution. \\\nIn conclusion, these vulnerabilities pose a significant threat to Juniper SRX and EX Series devices, and it is imperative for users to apply the necessary fixes or implement the recommended workaround to mitigate the potential impact.", "references": ["https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution?language=en_US", "https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-36844.yaml", "https://thehackernews.com/2023/08/new-juniper-junos-os-flaws-expose.html", "https://github.com/watchtowrlabs/juniper-rce_cve-2023-36844", "https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/"], "tags": {"name": "Juniper JunOS Remote Code Execution", "analytic_story": "Juniper JunOS Remote Code Execution", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}], "mitre_attack_tactics": ["Command And Control", "Execution", "Initial Access"], "datamodels": ["Web"], "kill_chain_phases": ["Command And Control", "Delivery", "Installation"]}, "detection_names": ["ESCU - Juniper Networks Remote Code Execution Exploit Detection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Juniper Networks Remote Code Execution Exploit Detection", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "Ingress Tool Transfer"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}]}, {"name": "Kubernetes Scanning Activity", "author": "Rod Soto, Splunk", "date": "2020-04-15", "version": 1, "id": "a9ef59cf-e981-4e66-9eef-bb049f695c09", "description": "This story addresses detection against Kubernetes cluster fingerprint scan and attack by providing information on items such as source ip, user agent, cluster names.", "narrative": "Kubernetes is the most used container orchestration platform, this orchestration platform contains sensitve information and management priviledges of production workloads, microservices and applications. These searches allow operator to detect suspicious unauthenticated requests from the internet to kubernetes cluster.", "references": ["https://github.com/splunk/cloud-datamodel-security-research"], "tags": {"name": "Kubernetes Scanning Activity", "analytic_story": "Kubernetes Scanning Activity", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1526", "mitre_attack_technique": "Cloud Service Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Discovery"], "datamodels": ["Email"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Amazon EKS Kubernetes cluster scan detection - Rule", "ESCU - Amazon EKS Kubernetes Pod scan detection - Rule", "ESCU - GCP Kubernetes cluster pod scan detection - Rule", "ESCU - GCP Kubernetes cluster scan detection - Rule", "ESCU - Kubernetes Azure pod scan fingerprint - Rule", "ESCU - Kubernetes Azure scan fingerprint - Rule"], "investigation_names": ["ESCU - Amazon EKS Kubernetes activity by src ip - Response Task", "ESCU - GCP Kubernetes activity by src ip - Response Task", "ESCU - Get Notable History - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rod Soto", "detections": [{"name": "Amazon EKS Kubernetes cluster scan detection", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Service Discovery"}]}}, {"name": "Amazon EKS Kubernetes Pod scan detection", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Service Discovery"}]}}, {"name": "GCP Kubernetes cluster pod scan detection", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Service Discovery"}]}}, {"name": "GCP Kubernetes cluster scan detection", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Service Discovery"}]}}, {"name": "Kubernetes Azure pod scan fingerprint", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes Azure scan fingerprint", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Service Discovery"}]}}]}, {"name": "Kubernetes Security", "author": "Patrick Bareiss", "date": "2023-12-06", "version": 1, "id": "77006b3a-306c-4e32-afd5-30b6e40c1c41", "description": "Kubernetes, as a container orchestration platform, faces unique security challenges. This story explores various tactics and techniques adversaries use to exploit Kubernetes environments, including attacking the control plane, exploiting misconfigurations, and compromising containerized applications.", "narrative": "Kubernetes, a widely used container orchestration system, presents a complex environment that can be targeted by adversaries. Key areas of concern include the control plane, worker nodes, and network communication. Attackers may attempt to exploit vulnerabilities in the Kubernetes API, misconfigured containers, or insecure network policies. The control plane, responsible for managing cluster operations, is a prime target. Compromising this can give attackers control over the entire cluster. Worker nodes, running the containerized applications, can be targeted to disrupt services or to gain access to sensitive data. Common attack vectors include exploiting vulnerabilities in container images, misconfigured role-based access controls (RBAC), exposed Kubernetes dashboards, and insecure network configurations. Attackers can also target the supply chain, injecting malicious code into container images or Helm charts. To mitigate these threats, it is essential to enforce robust security practices such as regular vulnerability scanning, implementing least privilege access, securing the control plane, network segmentation, and continuous monitoring for suspicious activities. Tools like Kubernetes Network Policies, Pod Security Policies, and third-party security solutions can provide additional layers of defense.", "references": ["https://kubernetes.io/docs/concepts/security/"], "tags": {"name": "Kubernetes Security", "analytic_story": "Kubernetes Security", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1552.007", "mitre_attack_technique": "Container API", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1046", "mitre_attack_technique": "Network Service Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "APT41", "BackdoorDiplomacy", "BlackTech", "Chimera", "Cobalt Group", "DarkVishnya", "FIN13", "FIN6", "Fox Kitten", "Lazarus Group", "Leafminer", "Magic Hound", "Naikon", "OilRig", "Rocke", "Suckfly", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1526", "mitre_attack_technique": "Cloud Service Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}], "mitre_attack_tactics": ["Credential Access", "Discovery", "Execution"], "datamodels": [], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Kubernetes Abuse of Secret by Unusual Location - Rule", "ESCU - Kubernetes Abuse of Secret by Unusual User Agent - Rule", "ESCU - Kubernetes Abuse of Secret by Unusual User Group - Rule", "ESCU - Kubernetes Abuse of Secret by Unusual User Name - Rule", "ESCU - Kubernetes Access Scanning - Rule", "ESCU - Kubernetes Suspicious Image Pulling - Rule", "ESCU - Kubernetes Unauthorized Access - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "no", "author_name": "Patrick Bareiss", "detections": [{"name": "Kubernetes Abuse of Secret by Unusual Location", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Container API"}]}}, {"name": "Kubernetes Abuse of Secret by Unusual User Agent", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Container API"}]}}, {"name": "Kubernetes Abuse of Secret by Unusual User Group", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Container API"}]}}, {"name": "Kubernetes Abuse of Secret by Unusual User Name", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Container API"}]}}, {"name": "Kubernetes Access Scanning", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Network Service Discovery"}]}}, {"name": "Kubernetes Suspicious Image Pulling", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Service Discovery"}]}}, {"name": "Kubernetes Unauthorized Access", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "User Execution"}]}}]}, {"name": "Kubernetes Sensitive Object Access Activity", "author": "Rod Soto, Splunk", "date": "2020-05-20", "version": 1, "id": "c7d4dbf0-a171-4eaf-8444-4f40392e4f92", "description": "This story addresses detection and response of accounts acccesing Kubernetes cluster sensitive objects such as configmaps or secrets providing information on items such as user user, group. object, namespace and authorization reason.", "narrative": "Kubernetes is the most used container orchestration platform, this orchestration platform contains sensitive objects within its architecture, specifically configmaps and secrets, if accessed by an attacker can lead to further compromise. These searches allow operator to detect suspicious requests against Kubernetes sensitive objects.", "references": ["https://www.splunk.com/en_us/blog/security/approaching-kubernetes-security-detecting-kubernetes-scan-with-splunk.html"], "tags": {"name": "Kubernetes Sensitive Object Access Activity", "analytic_story": "Kubernetes Sensitive Object Access Activity", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Kubernetes AWS detect suspicious kubectl calls - Rule", "ESCU - AWS EKS Kubernetes cluster sensitive object access - Rule", "ESCU - Kubernetes AWS detect service accounts forbidden failure access - Rule", "ESCU - Kubernetes Azure detect sensitive object access - Rule", "ESCU - Kubernetes Azure detect service accounts forbidden failure access - Rule", "ESCU - Kubernetes Azure detect suspicious kubectl calls - Rule", "ESCU - Kubernetes GCP detect sensitive object access - Rule", "ESCU - Kubernetes GCP detect service accounts forbidden failure access - Rule", "ESCU - Kubernetes GCP detect suspicious kubectl calls - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rod Soto", "detections": [{"name": "Kubernetes AWS detect suspicious kubectl calls", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "AWS EKS Kubernetes cluster sensitive object access", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes AWS detect service accounts forbidden failure access", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes Azure detect sensitive object access", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes Azure detect service accounts forbidden failure access", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes Azure detect suspicious kubectl calls", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes GCP detect sensitive object access", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes GCP detect service accounts forbidden failure access", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Kubernetes GCP detect suspicious kubectl calls", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "Linux Living Off The Land", "author": "Michael Haag, Splunk", "date": "2022-07-27", "version": 1, "id": "e405a2d7-dc8e-4227-8e9d-f60267b8c0cd", "description": "Linux Living Off The Land consists of binaries that may be used to bypass local security restrictions within misconfigured systems.", "narrative": "Similar to Windows LOLBAS project, the GTFOBins project focuses solely on Unix binaries that may be abused in multiple categories including Reverse Shell, File Upload, File Download and much more. These binaries are native to the operating system and the functionality is typically native. The behaviors are typically not malicious by default or vulnerable, but these are built in functionality of the applications. When reviewing any notables or hunting through mountains of events of interest, it's important to identify the binary, review command-line arguments, path of file, and capture any network and file modifications. Linux analysis may be a bit cumbersome due to volume and how process behavior is seen in EDR products. Piecing it together will require some effort.", "references": ["https://gtfobins.github.io/"], "tags": {"name": "Linux Living Off The Land", "analytic_story": "Linux Living Off The Land", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1053.003", "mitre_attack_technique": "Cron", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT38", "Rocke"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1053.002", "mitre_attack_technique": "At", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "BRONZE BUTLER", "Threat Group-3390"]}, {"mitre_attack_id": "T1222.002", "mitre_attack_technique": "Linux and Mac File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1115", "mitre_attack_technique": "Clipboard Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT38", "APT39"]}, {"mitre_attack_id": "T1548.001", "mitre_attack_technique": "Setuid and Setgid", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1059.004", "mitre_attack_technique": "Unix Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT41", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1098.004", "mitre_attack_technique": "SSH Authorized Keys", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca", "TeamTNT"]}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "MoustachedBouncer", "POLONIUM", "Sandworm Team", "Turla", "Volt Typhoon", "Windigo"]}, {"mitre_attack_id": "T1095", "mitre_attack_technique": "Non-Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT3", "BITTER", "BackdoorDiplomacy", "FIN6", "HAFNIUM", "Metador", "PLATINUM"]}, {"mitre_attack_id": "T1053.006", "mitre_attack_technique": "Systemd Timers", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1021.004", "mitre_attack_technique": "SSH", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT39", "BlackTech", "FIN13", "FIN7", "Fox Kitten", "GCMAN", "Lazarus Group", "Leviathan", "OilRig", "Rocke", "TEMP.Veles", "TeamTNT", "menuPass"]}], "mitre_attack_tactics": ["Collection", "Command And Control", "Defense Evasion", "Execution", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command And Control", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Curl Download and Bash Execution - Rule", "ESCU - Linux Add Files In Known Crontab Directories - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux apt-get Privilege Escalation - Rule", "ESCU - Linux APT Privilege Escalation - Rule", "ESCU - Linux At Allow Config File Creation - Rule", "ESCU - Linux At Application Execution - Rule", "ESCU - Linux AWK Privilege Escalation - Rule", "ESCU - Linux Busybox Privilege Escalation - Rule", "ESCU - Linux c89 Privilege Escalation - Rule", "ESCU - Linux c99 Privilege Escalation - Rule", "ESCU - Linux Change File Owner To Root - Rule", "ESCU - Linux Clipboard Data Copy - Rule", "ESCU - Linux Common Process For Elevation Control - Rule", "ESCU - Linux Composer Privilege Escalation - Rule", "ESCU - Linux Cpulimit Privilege Escalation - Rule", "ESCU - Linux Csvtool Privilege Escalation - Rule", "ESCU - Linux Curl Upload File - Rule", "ESCU - Linux Decode Base64 to Shell - Rule", "ESCU - Linux Docker Privilege Escalation - Rule", "ESCU - Linux Edit Cron Table Parameter - Rule", "ESCU - Linux Emacs Privilege Escalation - Rule", "ESCU - Linux Find Privilege Escalation - Rule", "ESCU - Linux GDB Privilege Escalation - Rule", "ESCU - Linux Gem Privilege Escalation - Rule", "ESCU - Linux GNU Awk Privilege Escalation - Rule", "ESCU - Linux Ingress Tool Transfer Hunting - Rule", "ESCU - Linux Ingress Tool Transfer with Curl - Rule", "ESCU - Linux Make Privilege Escalation - Rule", "ESCU - Linux MySQL Privilege Escalation - Rule", "ESCU - Linux Node Privilege Escalation - Rule", "ESCU - Linux Obfuscated Files or Information Base64 Decode - Rule", "ESCU - Linux Octave Privilege Escalation - Rule", "ESCU - Linux OpenVPN Privilege Escalation - Rule", "ESCU - Linux PHP Privilege Escalation - Rule", "ESCU - Linux pkexec Privilege Escalation - Rule", "ESCU - Linux Possible Access Or Modification Of sshd Config File - Rule", "ESCU - Linux Possible Append Cronjob Entry on Existing Cronjob File - Rule", "ESCU - Linux Possible Cronjob Modification With Editor - Rule", "ESCU - Linux Possible Ssh Key File Creation - Rule", "ESCU - Linux Proxy Socks Curl - Rule", "ESCU - Linux Puppet Privilege Escalation - Rule", "ESCU - Linux RPM Privilege Escalation - Rule", "ESCU - Linux Ruby Privilege Escalation - Rule", "ESCU - Linux Service File Created In Systemd Directory - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Service Started Or Enabled - Rule", "ESCU - Linux Setuid Using Chmod Utility - Rule", "ESCU - Linux Sqlite3 Privilege Escalation - Rule", "ESCU - Linux SSH Authorized Keys Modification - Rule", "ESCU - Linux SSH Remote Services Script Execute - Rule", "ESCU - Suspicious Curl Network Connection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Curl Download and Bash Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Linux Add Files In Known Crontab Directories", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux apt-get Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux APT Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux At Allow Config File Creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux At Application Execution", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "At"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux AWK Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Busybox Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux c89 Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux c99 Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Change File Owner To Root", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Linux and Mac File and Directory Permissions Modification"}, {"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "Linux Clipboard Data Copy", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Clipboard Data"}]}}, {"name": "Linux Common Process For Elevation Control", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Setuid and Setgid"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Composer Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Cpulimit Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Csvtool Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Curl Upload File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Linux Decode Base64 to Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "Unix Shell"}]}}, {"name": "Linux Docker Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Edit Cron Table Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Emacs Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Find Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux GDB Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Gem Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux GNU Awk Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Ingress Tool Transfer Hunting", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Linux Ingress Tool Transfer with Curl", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Linux Make Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux MySQL Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Node Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Obfuscated Files or Information Base64 Decode", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}}, {"name": "Linux Octave Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux OpenVPN Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux PHP Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux pkexec Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "Linux Possible Access Or Modification Of sshd Config File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SSH Authorized Keys"}, {"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Linux Possible Append Cronjob Entry on Existing Cronjob File", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Possible Cronjob Modification With Editor", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Possible Ssh Key File Creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SSH Authorized Keys"}, {"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Linux Proxy Socks Curl", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Non-Application Layer Protocol"}]}}, {"name": "Linux Puppet Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux RPM Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Ruby Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Service File Created In Systemd Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Service Started Or Enabled", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Setuid Using Chmod Utility", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Setuid and Setgid"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Sqlite3 Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux SSH Authorized Keys Modification", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SSH Authorized Keys"}]}}, {"name": "Linux SSH Remote Services Script Execute", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SSH"}]}}, {"name": "Suspicious Curl Network Connection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}]}, {"name": "Linux Persistence Techniques", "author": "Teoderick Contreras, Splunk", "date": "2021-12-17", "version": 1, "id": "e40d13e5-d38b-457e-af2a-e8e6a2f2b516", "description": "Monitor for activities and techniques associated with maintaining persistence on a Linux system--a sign that an adversary may have compromised your environment.", "narrative": "Maintaining persistence is one of the first steps taken by attackers after the initial compromise. Attackers leverage various custom and built-in tools to ensure survivability and persistent access within a compromised enterprise. This Analytic Story provides searches to help you identify various behaviors used by attackers to maintain persistent access to a Linux environment.", "references": ["https://attack.mitre.org/techniques/T1053/", "https://kifarunix.com/scheduling-tasks-using-at-command-in-linux/", "https://gtfobins.github.io/gtfobins/at/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf"], "tags": {"name": "Linux Persistence Techniques", "analytic_story": "Linux Persistence Techniques", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.003", "mitre_attack_technique": "Cron", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT38", "Rocke"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "Dragonfly", "FIN13", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT", "Wizard Spider"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}, {"mitre_attack_id": "T1053.002", "mitre_attack_technique": "At", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "BRONZE BUTLER", "Threat Group-3390"]}, {"mitre_attack_id": "T1222.002", "mitre_attack_technique": "Linux and Mac File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1548.001", "mitre_attack_technique": "Setuid and Setgid", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1547.006", "mitre_attack_technique": "Kernel Modules and Extensions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1037.004", "mitre_attack_technique": "RC Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1037", "mitre_attack_technique": "Boot or Logon Initialization Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "Rocke"]}, {"mitre_attack_id": "T1546.004", "mitre_attack_technique": "Unix Shell Configuration Modification", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1098.004", "mitre_attack_technique": "SSH Authorized Keys", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca", "TeamTNT"]}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1003.008", "mitre_attack_technique": "/etc/passwd and /etc/shadow", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1574.006", "mitre_attack_technique": "Dynamic Linker Hijacking", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT41", "Rocke"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1053.006", "mitre_attack_technique": "Systemd Timers", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Execution", "Impact", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Linux Add Files In Known Crontab Directories - Rule", "ESCU - Linux Add User Account - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux At Allow Config File Creation - Rule", "ESCU - Linux At Application Execution - Rule", "ESCU - Linux Change File Owner To Root - Rule", "ESCU - Linux Common Process For Elevation Control - Rule", "ESCU - Linux Doas Conf File Creation - Rule", "ESCU - Linux Doas Tool Execution - Rule", "ESCU - Linux Edit Cron Table Parameter - Rule", "ESCU - Linux File Created In Kernel Driver Directory - Rule", "ESCU - Linux File Creation In Init Boot Directory - Rule", "ESCU - Linux File Creation In Profile Directory - Rule", "ESCU - Linux Insert Kernel Module Using Insmod Utility - Rule", "ESCU - Linux Install Kernel Module Using Modprobe Utility - Rule", "ESCU - Linux NOPASSWD Entry In Sudoers File - Rule", "ESCU - Linux Persistence and Privilege Escalation Risk Behavior - Rule", "ESCU - Linux Possible Access Or Modification Of sshd Config File - Rule", "ESCU - Linux Possible Access To Credential Files - Rule", "ESCU - Linux Possible Access To Sudoers File - Rule", "ESCU - Linux Possible Append Command To At Allow Config File - Rule", "ESCU - Linux Possible Append Command To Profile Config File - Rule", "ESCU - Linux Possible Append Cronjob Entry on Existing Cronjob File - Rule", "ESCU - Linux Possible Cronjob Modification With Editor - Rule", "ESCU - Linux Possible Ssh Key File Creation - Rule", "ESCU - Linux Preload Hijack Library Calls - Rule", "ESCU - Linux Service File Created In Systemd Directory - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Service Started Or Enabled - Rule", "ESCU - Linux Setuid Using Chmod Utility - Rule", "ESCU - Linux Setuid Using Setcap Utility - Rule", "ESCU - Linux Shred Overwrite Command - Rule", "ESCU - Linux Sudo OR Su Execution - Rule", "ESCU - Linux Sudoers Tmp File Creation - Rule", "ESCU - Linux Visudo Utility Execution - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux Add Files In Known Crontab Directories", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Add User Account", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux At Allow Config File Creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux At Application Execution", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "At"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Change File Owner To Root", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Linux and Mac File and Directory Permissions Modification"}, {"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "Linux Common Process For Elevation Control", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Setuid and Setgid"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Doas Conf File Creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Doas Tool Execution", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Edit Cron Table Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux File Created In Kernel Driver Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Linux File Creation In Init Boot Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "RC Scripts"}, {"mitre_attack_technique": "Boot or Logon Initialization Scripts"}]}}, {"name": "Linux File Creation In Profile Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unix Shell Configuration Modification"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Linux Insert Kernel Module Using Insmod Utility", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Linux Install Kernel Module Using Modprobe Utility", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Linux NOPASSWD Entry In Sudoers File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Persistence and Privilege Escalation Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Possible Access Or Modification Of sshd Config File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SSH Authorized Keys"}, {"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Linux Possible Access To Credential Files", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "/etc/passwd and /etc/shadow"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Linux Possible Access To Sudoers File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Possible Append Command To At Allow Config File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "At"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Possible Append Command To Profile Config File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unix Shell Configuration Modification"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Linux Possible Append Cronjob Entry on Existing Cronjob File", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Possible Cronjob Modification With Editor", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Possible Ssh Key File Creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SSH Authorized Keys"}, {"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Linux Preload Hijack Library Calls", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Dynamic Linker Hijacking"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Linux Service File Created In Systemd Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Service Started Or Enabled", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Setuid Using Chmod Utility", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Setuid and Setgid"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Setuid Using Setcap Utility", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Setuid and Setgid"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Shred Overwrite Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Linux Sudo OR Su Execution", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Sudoers Tmp File Creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Visudo Utility Execution", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}]}, {"name": "Linux Post-Exploitation", "author": "Rod Soto", "date": "2021-12-03", "version": 1, "id": "d310ccfe-5477-11ec-ad05-acde48001122", "description": "This analytic story identifies popular Linux post exploitation tools such as autoSUID, LinEnum, LinPEAS, Linux Exploit Suggesters, MimiPenguin.", "narrative": "These tools allow operators find possible exploits or paths for privilege escalation based on SUID binaries, user permissions, kernel version and distro version.", "references": ["https://attack.mitre.org/matrices/enterprise/linux/"], "tags": {"name": "Linux Post-Exploitation", "analytic_story": "Linux Post-Exploitation", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.004", "mitre_attack_technique": "Unix Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT41", "Rocke", "TeamTNT"]}], "mitre_attack_tactics": ["Execution"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation"]}, "detection_names": ["ESCU - Suspicious Linux Discovery Commands - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "no", "author_name": "Rod Soto", "detections": [{"name": "Suspicious Linux Discovery Commands", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unix Shell"}]}}]}, {"name": "Linux Privilege Escalation", "author": "Teoderick Contreras, Splunk", "date": "2021-12-17", "version": 1, "id": "b9879c24-670a-44c0-895e-98cdb7d0e848", "description": "Monitor for and investigate activities that may be associated with a Linux privilege-escalation attack, including unusual processes running on endpoints, schedule task, services, setuid, root execution and more.", "narrative": "Privilege escalation is a \"land-and-expand\" technique, wherein an adversary gains an initial foothold on a host and then exploits its weaknesses to increase his privileges. The motivation is simple: certain actions on a Linux machine--such as installing software--may require higher-level privileges than those the attacker initially acquired. By increasing his privilege level, the attacker can gain the control required to carry out his malicious ends. This Analytic Story provides searches to detect and investigate behaviors that attackers may use to elevate their privileges in your environment.", "references": ["https://attack.mitre.org/tactics/TA0004/"], "tags": {"name": "Linux Privilege Escalation", "analytic_story": "Linux Privilege Escalation", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.003", "mitre_attack_technique": "Cron", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT38", "Rocke"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1136.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT3", "APT39", "APT41", "Dragonfly", "FIN13", "Fox Kitten", "Kimsuky", "Leafminer", "Magic Hound", "TeamTNT", "Wizard Spider"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}, {"mitre_attack_id": "T1548.003", "mitre_attack_technique": "Sudo and Sudo Caching", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1053.002", "mitre_attack_technique": "At", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "BRONZE BUTLER", "Threat Group-3390"]}, {"mitre_attack_id": "T1222.002", "mitre_attack_technique": "Linux and Mac File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1548.001", "mitre_attack_technique": "Setuid and Setgid", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1547.006", "mitre_attack_technique": "Kernel Modules and Extensions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1037.004", "mitre_attack_technique": "RC Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1037", "mitre_attack_technique": "Boot or Logon Initialization Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "Rocke"]}, {"mitre_attack_id": "T1546.004", "mitre_attack_technique": "Unix Shell Configuration Modification", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1098.004", "mitre_attack_technique": "SSH Authorized Keys", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca", "TeamTNT"]}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1003.008", "mitre_attack_technique": "/etc/passwd and /etc/shadow", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1574.006", "mitre_attack_technique": "Dynamic Linker Hijacking", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT41", "Rocke"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1053.006", "mitre_attack_technique": "Systemd Timers", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Execution", "Impact", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Linux Add Files In Known Crontab Directories - Rule", "ESCU - Linux Add User Account - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux apt-get Privilege Escalation - Rule", "ESCU - Linux APT Privilege Escalation - Rule", "ESCU - Linux At Allow Config File Creation - Rule", "ESCU - Linux At Application Execution - Rule", "ESCU - Linux AWK Privilege Escalation - Rule", "ESCU - Linux Busybox Privilege Escalation - Rule", "ESCU - Linux c89 Privilege Escalation - Rule", "ESCU - Linux c99 Privilege Escalation - Rule", "ESCU - Linux Change File Owner To Root - Rule", "ESCU - Linux Common Process For Elevation Control - Rule", "ESCU - Linux Composer Privilege Escalation - Rule", "ESCU - Linux Cpulimit Privilege Escalation - Rule", "ESCU - Linux Csvtool Privilege Escalation - Rule", "ESCU - Linux Doas Conf File Creation - Rule", "ESCU - Linux Doas Tool Execution - Rule", "ESCU - Linux Docker Privilege Escalation - Rule", "ESCU - Linux Edit Cron Table Parameter - Rule", "ESCU - Linux Emacs Privilege Escalation - Rule", "ESCU - Linux File Created In Kernel Driver Directory - Rule", "ESCU - Linux File Creation In Init Boot Directory - Rule", "ESCU - Linux File Creation In Profile Directory - Rule", "ESCU - Linux Find Privilege Escalation - Rule", "ESCU - Linux GDB Privilege Escalation - Rule", "ESCU - Linux Gem Privilege Escalation - Rule", "ESCU - Linux GNU Awk Privilege Escalation - Rule", "ESCU - Linux Insert Kernel Module Using Insmod Utility - Rule", "ESCU - Linux Install Kernel Module Using Modprobe Utility - Rule", "ESCU - Linux Make Privilege Escalation - Rule", "ESCU - Linux MySQL Privilege Escalation - Rule", "ESCU - Linux Node Privilege Escalation - Rule", "ESCU - Linux NOPASSWD Entry In Sudoers File - Rule", "ESCU - Linux Octave Privilege Escalation - Rule", "ESCU - Linux OpenVPN Privilege Escalation - Rule", "ESCU - Linux Persistence and Privilege Escalation Risk Behavior - Rule", "ESCU - Linux PHP Privilege Escalation - Rule", "ESCU - Linux pkexec Privilege Escalation - Rule", "ESCU - Linux Possible Access Or Modification Of sshd Config File - Rule", "ESCU - Linux Possible Access To Credential Files - Rule", "ESCU - Linux Possible Access To Sudoers File - Rule", "ESCU - Linux Possible Append Command To At Allow Config File - Rule", "ESCU - Linux Possible Append Command To Profile Config File - Rule", "ESCU - Linux Possible Append Cronjob Entry on Existing Cronjob File - Rule", "ESCU - Linux Possible Cronjob Modification With Editor - Rule", "ESCU - Linux Possible Ssh Key File Creation - Rule", "ESCU - Linux Preload Hijack Library Calls - Rule", "ESCU - Linux Puppet Privilege Escalation - Rule", "ESCU - Linux RPM Privilege Escalation - Rule", "ESCU - Linux Ruby Privilege Escalation - Rule", "ESCU - Linux Service File Created In Systemd Directory - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Service Started Or Enabled - Rule", "ESCU - Linux Setuid Using Chmod Utility - Rule", "ESCU - Linux Setuid Using Setcap Utility - Rule", "ESCU - Linux Shred Overwrite Command - Rule", "ESCU - Linux Sqlite3 Privilege Escalation - Rule", "ESCU - Linux Sudo OR Su Execution - Rule", "ESCU - Linux Sudoers Tmp File Creation - Rule", "ESCU - Linux Visudo Utility Execution - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux Add Files In Known Crontab Directories", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Add User Account", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux apt-get Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux APT Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux At Allow Config File Creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux At Application Execution", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "At"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux AWK Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Busybox Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux c89 Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux c99 Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Change File Owner To Root", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Linux and Mac File and Directory Permissions Modification"}, {"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "Linux Common Process For Elevation Control", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Setuid and Setgid"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Composer Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Cpulimit Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Csvtool Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Doas Conf File Creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Doas Tool Execution", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Docker Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Edit Cron Table Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Emacs Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux File Created In Kernel Driver Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Linux File Creation In Init Boot Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "RC Scripts"}, {"mitre_attack_technique": "Boot or Logon Initialization Scripts"}]}}, {"name": "Linux File Creation In Profile Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unix Shell Configuration Modification"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Linux Find Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux GDB Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Gem Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux GNU Awk Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Insert Kernel Module Using Insmod Utility", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Linux Install Kernel Module Using Modprobe Utility", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Linux Make Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux MySQL Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Node Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux NOPASSWD Entry In Sudoers File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Octave Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux OpenVPN Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Persistence and Privilege Escalation Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux PHP Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux pkexec Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "Linux Possible Access Or Modification Of sshd Config File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SSH Authorized Keys"}, {"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Linux Possible Access To Credential Files", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "/etc/passwd and /etc/shadow"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Linux Possible Access To Sudoers File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Possible Append Command To At Allow Config File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "At"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Possible Append Command To Profile Config File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unix Shell Configuration Modification"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Linux Possible Append Cronjob Entry on Existing Cronjob File", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Possible Cronjob Modification With Editor", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Possible Ssh Key File Creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SSH Authorized Keys"}, {"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Linux Preload Hijack Library Calls", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Dynamic Linker Hijacking"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Linux Puppet Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux RPM Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Ruby Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Service File Created In Systemd Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Service Started Or Enabled", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Setuid Using Chmod Utility", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Setuid and Setgid"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Setuid Using Setcap Utility", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Setuid and Setgid"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Shred Overwrite Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Linux Sqlite3 Privilege Escalation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Sudo OR Su Execution", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Sudoers Tmp File Creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Linux Visudo Utility Execution", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Sudo and Sudo Caching"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}]}, {"name": "Linux Rootkit", "author": "Michael Haag, Splunk", "date": "2022-07-27", "version": 1, "id": "e30f4054-ac08-4999-b8bc-5cc46886c18d", "description": "Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.", "narrative": "Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or System Firmware. Rootkits have been seen for Windows, Linux, and Mac OS X systems. Linux rootkits may not standout as much as a Windows rootkit, therefore understanding what kernel modules are installed today and monitoring for new is important. As with any rootkit, it may blend in using a common kernel name or variation of legitimate names.", "references": ["https://attack.mitre.org/techniques/T1014/", "https://content.fireeye.com/apt-41/rpt-apt41", "https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a"], "tags": {"name": "Linux Rootkit", "analytic_story": "Linux Rootkit", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.006", "mitre_attack_technique": "Kernel Modules and Extensions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "FIN13", "FIN8", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TA2541", "TeamTNT", "Tropic Trooper", "Turla", "Volt Typhoon", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}, {"mitre_attack_id": "T1014", "mitre_attack_technique": "Rootkit", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT41", "Rocke", "TeamTNT", "Winnti Group"]}], "mitre_attack_tactics": ["Defense Evasion", "Discovery", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Linux File Created In Kernel Driver Directory - Rule", "ESCU - Linux Insert Kernel Module Using Insmod Utility - Rule", "ESCU - Linux Install Kernel Module Using Modprobe Utility - Rule", "ESCU - Linux Kernel Module Enumeration - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Linux File Created In Kernel Driver Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Linux Insert Kernel Module Using Insmod Utility", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Linux Install Kernel Module Using Modprobe Utility", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Linux Kernel Module Enumeration", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Information Discovery"}, {"mitre_attack_technique": "Rootkit"}]}}]}, {"name": "Living Off The Land", "author": "Lou Stella, Splunk", "date": "2022-03-16", "version": 2, "id": "6f7982e2-900b-11ec-a54a-acde48001122", "description": "Leverage analytics that allow you to identify the presence of an adversary leveraging native applications within your environment.", "narrative": "Living Off The Land refers to an adversary methodology of using native applications already installed on the target operating system to achieve their objective. Native utilities provide the adversary with reduced chances of detection by antivirus software or EDR tools. This allows the adversary to blend in with native process behavior.", "references": ["https://lolbas-project.github.io/"], "tags": {"name": "Living Off The Land", "analytic_story": "Living Off The Land", "category": ["Adversary Tactics", "Unauthorized Software", "Lateral Movement", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1197", "mitre_attack_technique": "BITS Jobs", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["APT39", "APT41", "Leviathan", "Patchwork", "Wizard Spider"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1140", "mitre_attack_technique": "Deobfuscate/Decode Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT39", "BRONZE BUTLER", "Darkhotel", "Earth Lusca", "FIN13", "Gamaredon Group", "Gorgon Group", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Molerats", "MuddyWater", "OilRig", "Rocke", "Sandworm Team", "TA505", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "WIRTE", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.002", "mitre_attack_technique": "Control Panel", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Ember Bear"]}, {"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1218.001", "mitre_attack_technique": "Compiled HTML File", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "APT41", "Dark Caracal", "OilRig", "Silence"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA2541", "TA551"]}, {"mitre_attack_id": "T1218.009", "mitre_attack_technique": "Regsvcs/Regasm", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1567", "mitre_attack_technique": "Exfiltration Over Web Service", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT28", "Magic Hound"]}, {"mitre_attack_id": "T1059.004", "mitre_attack_technique": "Unix Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT41", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1647", "mitre_attack_technique": "Plist File Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1218.014", "mitre_attack_technique": "MMC", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1053.002", "mitre_attack_technique": "At", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "BRONZE BUTLER", "Threat Group-3390"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1127.001", "mitre_attack_technique": "MSBuild", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1218.013", "mitre_attack_technique": "Mavinject", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1546.015", "mitre_attack_technique": "Component Object Model Hijacking", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1574.001", "mitre_attack_technique": "DLL Search Order Hijacking", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT41", "Aquatic Panda", "BackdoorDiplomacy", "Evilnum", "RTM", "Threat Group-3390", "Tonto Team", "Whitefly", "menuPass"]}, {"mitre_attack_id": "T1202", "mitre_attack_technique": "Indirect Command Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}, {"mitre_attack_id": "T1546.003", "mitre_attack_technique": "Windows Management Instrumentation Event Subscription", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT33", "Blue Mockingbird", "FIN8", "Leviathan", "Metador", "Mustang Panda", "Turla"]}, {"mitre_attack_id": "T1218.008", "mitre_attack_technique": "Odbcconf", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group"]}, {"mitre_attack_id": "T1216", "mitre_attack_technique": "System Script Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Defense Evasion", "Execution", "Exfiltration", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Network_Traffic", "Risk"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - BITS Job Persistence - Rule", "ESCU - BITSAdmin Download File - Rule", "ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - CertUtil Download With VerifyCtl and Split Arguments - Rule", "ESCU - Certutil exe certificate extraction - Rule", "ESCU - CertUtil With Decode Argument - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Control Loading from World Writable Directory - Rule", "ESCU - Creation of Shadow Copy with wmic and powershell - Rule", "ESCU - Detect HTML Help Renamed - Rule", "ESCU - Detect HTML Help Spawn Child Process - Rule", "ESCU - Detect HTML Help URL in Command Line - Rule", "ESCU - Detect HTML Help Using InfoTech Storage Handlers - Rule", "ESCU - Detect mshta inline hta execution - Rule", "ESCU - Detect mshta renamed - Rule", "ESCU - Detect MSHTA Url in Command Line - Rule", "ESCU - Detect Regasm Spawning a Process - Rule", "ESCU - Detect Regasm with Network Connection - Rule", "ESCU - Detect Regasm with no Command Line Arguments - Rule", "ESCU - Detect Regsvcs Spawning a Process - Rule", "ESCU - Detect Regsvcs with Network Connection - Rule", "ESCU - Detect Regsvcs with No Command Line Arguments - Rule", "ESCU - Detect Regsvr32 Application Control Bypass - Rule", "ESCU - Detect Rundll32 Application Control Bypass - advpack - Rule", "ESCU - Detect Rundll32 Application Control Bypass - setupapi - Rule", "ESCU - Detect Rundll32 Application Control Bypass - syssetup - Rule", "ESCU - Detect Rundll32 Inline HTA Execution - Rule", "ESCU - Disable Schedule Task - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Esentutl SAM Copy - Rule", "ESCU - Eventvwr UAC Bypass - Rule", "ESCU - Living Off The Land - Rule", "ESCU - LOLBAS With Network Traffic - Rule", "ESCU - MacOS LOLbin - Rule", "ESCU - MacOS plutil - Rule", "ESCU - Mmc LOLBAS Execution Process Spawn - Rule", "ESCU - Mshta spawning Rundll32 OR Regsvr32 Process - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - Reg exe Manipulating Windows Services Registry Keys - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Rundll32 Control RunDLL Hunt - Rule", "ESCU - Rundll32 Control RunDLL World Writable Directory - Rule", "ESCU - Rundll32 Create Remote Thread To A Process - Rule", "ESCU - Rundll32 CreateRemoteThread In Browser - Rule", "ESCU - Rundll32 DNSQuery - Rule", "ESCU - Rundll32 Process Creating Exe Dll Files - Rule", "ESCU - Rundll32 Shimcache Flush - Rule", "ESCU - RunDLL Loading DLL By Ordinal - Rule", "ESCU - Schedule Task with HTTP Command Arguments - Rule", "ESCU - Schedule Task with Rundll32 Command Trigger - Rule", "ESCU - Scheduled Task Creation on Remote Endpoint using At - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Scheduled Task Initiation on Remote Endpoint - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Services LOLBAS Execution Process Spawn - Rule", "ESCU - Suspicious IcedID Rundll32 Cmdline - Rule", "ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious microsoft workflow compiler usage - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - Suspicious MSBuild Spawn - Rule", "ESCU - Suspicious mshta child process - Rule", "ESCU - Suspicious mshta spawn - Rule", "ESCU - Suspicious Regsvr32 Register Suspicious Path - Rule", "ESCU - Suspicious Rundll32 dllregisterserver - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Svchost LOLBAS Execution Process Spawn - Rule", "ESCU - Windows Binary Proxy Execution Mavinject DLL Injection - Rule", "ESCU - Windows COM Hijacking InprocServer32 Modification - Rule", "ESCU - Windows Diskshadow Proxy Execution - Rule", "ESCU - Windows DLL Search Order Hijacking Hunt - Rule", "ESCU - Windows DLL Search Order Hijacking Hunt with Sysmon - Rule", "ESCU - Windows DLL Search Order Hijacking with iscsicpl - Rule", "ESCU - Windows Identify Protocol Handlers - Rule", "ESCU - Windows Indirect Command Execution Via forfiles - Rule", "ESCU - Windows Indirect Command Execution Via pcalua - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows InstallUtil Remote Network Connection - Rule", "ESCU - Windows InstallUtil Uninstall Option - Rule", "ESCU - Windows InstallUtil Uninstall Option with Network - Rule", "ESCU - Windows InstallUtil URL in Command Line - Rule", "ESCU - Windows MOF Event Triggered Execution via WMI - Rule", "ESCU - Windows Odbcconf Hunting - Rule", "ESCU - Windows Odbcconf Load DLL - Rule", "ESCU - Windows Odbcconf Load Response File - Rule", "ESCU - Windows System Binary Proxy Execution Compiled HTML File Decompile - Rule", "ESCU - Windows System Script Proxy Execution Syncappvpublishingserver - Rule", "ESCU - Windows UAC Bypass Suspicious Child Process - Rule", "ESCU - Windows UAC Bypass Suspicious Escalation Behavior - Rule", "ESCU - WSReset UAC Bypass - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Lou Stella", "detections": [{"name": "BITS Job Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "BITS Jobs"}]}}, {"name": "BITSAdmin Download File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "BITS Jobs"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "CertUtil Download With VerifyCtl and Split Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Certutil exe certificate extraction", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "CertUtil With Decode Argument", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Deobfuscate/Decode Files or Information"}]}}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Control Loading from World Writable Directory", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Control Panel"}]}}, {"name": "Creation of Shadow Copy with wmic and powershell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Detect HTML Help Renamed", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}}, {"name": "Detect HTML Help Spawn Child Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}}, {"name": "Detect HTML Help URL in Command Line", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}}, {"name": "Detect HTML Help Using InfoTech Storage Handlers", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}}, {"name": "Detect mshta inline hta execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}, {"name": "Detect mshta renamed", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}, {"name": "Detect MSHTA Url in Command Line", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}, {"name": "Detect Regasm Spawning a Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}}, {"name": "Detect Regasm with Network Connection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}}, {"name": "Detect Regasm with no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}}, {"name": "Detect Regsvcs Spawning a Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}}, {"name": "Detect Regsvcs with Network Connection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}}, {"name": "Detect Regsvcs with No Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}}, {"name": "Detect Regsvr32 Application Control Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Detect Rundll32 Application Control Bypass - advpack", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Detect Rundll32 Application Control Bypass - setupapi", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Detect Rundll32 Application Control Bypass - syssetup", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Detect Rundll32 Inline HTA Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}, {"name": "Disable Schedule Task", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Esentutl SAM Copy", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Eventvwr UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Living Off The Land", "source": "endpoint", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "LOLBAS With Network Traffic", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}, {"mitre_attack_technique": "Exfiltration Over Web Service"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "MacOS LOLbin", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Unix Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "MacOS plutil", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Plist File Modification"}]}}, {"name": "Mmc LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "MMC"}]}}, {"name": "Mshta spawning Rundll32 OR Regsvr32 Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}, {"name": "Ntdsutil Export NTDS", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Reg exe Manipulating Windows Services Registry Keys", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Remote WMI Command Attempt", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Rundll32 Control RunDLL Hunt", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Rundll32 Control RunDLL World Writable Directory", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Rundll32 Create Remote Thread To A Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Rundll32 CreateRemoteThread In Browser", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Rundll32 DNSQuery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Rundll32 Process Creating Exe Dll Files", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Rundll32 Shimcache Flush", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "RunDLL Loading DLL By Ordinal", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Schedule Task with HTTP Command Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Schedule Task with Rundll32 Command Trigger", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Scheduled Task Creation on Remote Endpoint using At", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "At"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Scheduled Task Initiation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Services LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Suspicious IcedID Rundll32 Cmdline", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Suspicious microsoft workflow compiler rename", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Suspicious microsoft workflow compiler usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}]}}, {"name": "Suspicious msbuild path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}}, {"name": "Suspicious MSBuild Rename", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}}, {"name": "Suspicious MSBuild Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "MSBuild"}]}}, {"name": "Suspicious mshta child process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}, {"name": "Suspicious mshta spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}, {"name": "Suspicious Regsvr32 Register Suspicious Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Suspicious Rundll32 dllregisterserver", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Svchost LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Windows Binary Proxy Execution Mavinject DLL Injection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Mavinject"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Windows COM Hijacking InprocServer32 Modification", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Component Object Model Hijacking"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Windows Diskshadow Proxy Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Windows DLL Search Order Hijacking Hunt", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Search Order Hijacking"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Windows DLL Search Order Hijacking Hunt with Sysmon", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Search Order Hijacking"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Windows DLL Search Order Hijacking with iscsicpl", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Search Order Hijacking"}]}}, {"name": "Windows Identify Protocol Handlers", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows Indirect Command Execution Via forfiles", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indirect Command Execution"}]}}, {"name": "Windows Indirect Command Execution Via pcalua", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indirect Command Execution"}]}}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}}, {"name": "Windows InstallUtil Remote Network Connection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Windows InstallUtil Uninstall Option", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Windows InstallUtil Uninstall Option with Network", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Windows InstallUtil URL in Command Line", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Windows MOF Event Triggered Execution via WMI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation Event Subscription"}]}}, {"name": "Windows Odbcconf Hunting", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Odbcconf"}]}}, {"name": "Windows Odbcconf Load DLL", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Odbcconf"}]}}, {"name": "Windows Odbcconf Load Response File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Odbcconf"}]}}, {"name": "Windows System Binary Proxy Execution Compiled HTML File Decompile", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compiled HTML File"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Windows System Script Proxy Execution Syncappvpublishingserver", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Script Proxy Execution"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Windows UAC Bypass Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}, {"mitre_attack_technique": "Bypass User Account Control"}]}}, {"name": "Windows UAC Bypass Suspicious Escalation Behavior", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}, {"mitre_attack_technique": "Bypass User Account Control"}]}}, {"name": "WSReset UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}]}, {"name": "Local Privilege Escalation With KrbRelayUp", "author": "Michael Haag, Mauricio Velazco, Splunk", "date": "2022-04-28", "version": 1, "id": "765790f0-2f8f-4048-8321-fd1928ec2546", "description": "KrbRelayUp is a tool that allows local privilege escalation from low-priviliged domain user to local system on domain-joined computers.", "narrative": "In October 2021, James Forshaw from Googles Project Zero released a research  blog post titled `Using Kerberos for Authentication Relay Attacks`. This research introduced, for the first time, ways to make Windows authenticate to a different Service Principal Name (SPN) than what would normally be derived from the hostname the client is connecting to. This effectively proved that relaying Kerberos authentication is possible\\\\. In April 2022, security researcher Mor Davidovich released a tool named KrbRelayUp which implements Kerberos relaying as well as other known Kerberos techniques with the goal of escalating privileges from a low-privileged domain user on a domain-joined device and obtain a SYSTEM shell.", "references": ["https://github.com/Dec0ne/KrbRelayUp", "https://gist.github.com/tothi/bf6c59d6de5d0c9710f23dae5750c4b9", "https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html", "https://dirkjanm.io/relaying-kerberos-over-dns-with-krbrelayx-and-mitm6/", "https://github.com/cube0x0/KrbRelay"], "tags": {"name": "Local Privilege Escalation With KrbRelayUp", "analytic_story": "Local Privilege Escalation With KrbRelayUp", "category": ["Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}], "mitre_attack_tactics": ["Credential Access", "Persistence", "Privilege Escalation"], "datamodels": ["Authentication", "Change"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Windows Computer Account Created by Computer Account - Rule", "ESCU - Windows Computer Account Requesting Kerberos Ticket - Rule", "ESCU - Windows Computer Account With SPN - Rule", "ESCU - Windows Kerberos Local Successful Logon - Rule", "ESCU - Windows KrbRelayUp Service Creation - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Mauricio Velazco, Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Computer Account Created by Computer Account", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}}, {"name": "Windows Computer Account Requesting Kerberos Ticket", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}}, {"name": "Windows Computer Account With SPN", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}}, {"name": "Windows Kerberos Local Successful Logon", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}}, {"name": "Windows KrbRelayUp Service Creation", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}]}}]}, {"name": "Log4Shell CVE-2021-44228", "author": "Jose Hernandez", "date": "2021-12-11", "version": 1, "id": "b4453928-5a98-11ec-afcd-8de10b48fc52", "description": "Log4Shell or CVE-2021-44228 is a Remote Code Execution (RCE) vulnerability in the Apache Log4j library, a widely used and ubiquitous logging framework for Java. The vulnerability allows an attacker who can control log messages to execute arbitrary code loaded from attacker-controlled servers and we anticipate that most apps using the Log4j library will meet this condition.", "narrative": "In late November 2021, Chen Zhaojun of Alibaba identified a remote code execution vulnerability. Previous work was seen in a 2016 Blackhat talk by Alvaro Munoz and Oleksandr Mirosh called [\"A Journey from JNDI/LDAP Manipulation to Remote Code Execution Dream Land\"](https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf). Reported under the CVE ID : CVE-2021-44228, released to the public on December 10, 2021. The vulnerability is exploited through improper deserialization of user input passed into the framework. It permits remote code execution and it can allow an attacker to leak sensitive data, such as environment variables, or execute malicious software on the target system.", "references": ["https://mbechler.github.io/2021/12/10/PSA_Log4Shell_JNDI_Injection/", "https://www.fastly.com/blog/digging-deeper-into-log4shell-0day-rce-exploit-found-in-log4j", "https://www.crowdstrike.com/blog/log4j2-vulnerability-analysis-and-mitigation-recommendations/", "https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://www.splunk.com/en_us/blog/security/log-jammin-log4j-2-rce.html"], "tags": {"name": "Log4Shell CVE-2021-44228", "analytic_story": "Log4Shell CVE-2021-44228", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Application Security", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}], "mitre_attack_tactics": ["Command And Control", "Execution", "Initial Access", "Persistence"], "datamodels": ["Endpoint", "Network_Traffic", "Risk", "Web"], "kill_chain_phases": ["Command And Control", "Delivery", "Installation"]}, "detection_names": ["ESCU - Any Powershell DownloadFile - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Curl Download and Bash Execution - Rule", "ESCU - Java Class File download by Java User Agent - Rule", "ESCU - Linux Java Spawning Shell - Rule", "ESCU - Log4Shell CVE-2021-44228 Exploitation - Rule", "ESCU - Outbound Network Connection from Java Using Default Ports - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - Wget Download and Bash Execution - Rule", "ESCU - Windows Java Spawning Shells - Rule", "ESCU - Detect Outbound LDAP Traffic - Rule", "ESCU - Hunting for Log4Shell - Rule", "ESCU - Log4Shell JNDI Payload Injection Attempt - Rule", "ESCU - Log4Shell JNDI Payload Injection with Outbound Connection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "no", "author_name": "Jose Hernandez", "detections": [{"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Curl Download and Bash Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Java Class File download by Java User Agent", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}, {"name": "Linux Java Spawning Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Log4Shell CVE-2021-44228 Exploitation", "source": "endpoint", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Outbound Network Connection from Java Using Default Ports", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Wget Download and Bash Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Windows Java Spawning Shells", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Detect Outbound LDAP Traffic", "source": "network", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Hunting for Log4Shell", "source": "web", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Log4Shell JNDI Payload Injection Attempt", "source": "web", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Log4Shell JNDI Payload Injection with Outbound Connection", "source": "web", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}]}, {"name": "Malicious PowerShell", "author": "David Dorsey, Splunk", "date": "2017-08-23", "version": 5, "id": "2c8ff66e-0b57-42af-8ad7-912438a403fc", "description": "Attackers are finding stealthy ways \"live off the land,\" leveraging utilities and tools that come standard on the endpoint--such as PowerShell--to achieve their goals without downloading binary files. These searches can help you detect and investigate PowerShell command-line options that may be indicative of malicious intent.", "narrative": "The searches in this Analytic Story monitor for parameters often used for malicious purposes. It is helpful to understand how often the notable events generated by this story occur, as well as the commonalities between some of these events. These factors may provide clues about whether this is a common occurrence of minimal concern or a rare event that may require more extensive investigation. Likewise, it is important to determine whether the issue is restricted to a single user/system or is broader in scope. \\\nThe following factors may assist you in determining whether the event is malicious: \\\n1. Country of origin \\\n1. Responsible party \\\n1. Fully qualified domain names associated with the external IP address \\\n1. Registration of fully qualified domain names associated with external IP address \\\nDetermining whether it is a dynamic domain frequently visited by others and/or how third parties categorize it can also help you answer some questions surrounding the attacker and details related to the external system. In addition, there are various sources--such as VirusTotal&#151; that can provide some reputation information on the IP address or domain name, which can assist in determining whether the event is malicious. Finally, determining whether there are other events associated with the IP address may help connect data points or show other events that should be brought into scope. \\\nGathering data on the system of interest can sometimes help you quickly determine whether something suspicious is happening. Some of these items include finding out who else may have recently logged into the system, whether any unusual scheduled tasks exist, whether the system is communicating on suspicious ports, whether there are modifications to sensitive registry keys, and whether there are any known vulnerabilities on the system. This information can often highlight other activity commonly seen in attack scenarios or give more information about how the system may have been targeted. \\\nOften, a simple inspection of the process name and path can tell you if the system has been compromised. For example, if `svchost.exe` is found running from a location other than `C:\\Windows\\System32`, it is likely something malicious designed to hide in plain sight when cursorily reviewing process names. Similarly, if the process itself seems legitimate, but the parent process is running from the temporary browser cache, that could be indicative of activity initiated via a compromised website a user visited. \\\nIt can also be very helpful to examine various behaviors of the process of interest or the parent of the process of interest. For example, if it turns out the process of interest is malicious, it would be good to see if the parent to that process spawned other processes that might be worth further scrutiny. If a process is suspect, a review of the network connections made in and around the time of the event and/or whether the process spawned any child processes could be helpful, as well. \\\nIn the event a system is suspected of having been compromised via a malicious website, we suggest reviewing the browsing activity from that system around the time of the event. If categories are given for the URLs visited, that can help you zero in on possible malicious sites. \\\nMost recently we have added new content related to PowerShell Script Block logging, Windows EventCode 4104. Script block logging presents the deobfuscated and raw script executed on an endpoint. The analytics produced were tested against commonly used attack frameworks - PowerShell-Empire, Cobalt Strike and Covenant. In addition, we sampled publicly available samples that utilize PowerShell and validated coverage. The analytics are here to identify suspicious usage, cmdlets, or script values. 4104 events are enabled via the Windows registry and may generate a large volume of data if enabled globally. Enabling on critical systems or a limited set may be best. During triage of 4104 events, review parallel processes for other processes and command executed. Identify any file modifications and network communication and review accordingly. Fortunately, we get the full script to determine the level of threat identified.", "references": ["https://blogs.mcafee.com/mcafee-labs/malware-employs-powershell-to-infect-systems/", "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"], "tags": {"name": "Malicious PowerShell", "analytic_story": "Malicious PowerShell", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1021.006", "mitre_attack_technique": "Windows Remote Management", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Chimera", "FIN13", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1218.014", "mitre_attack_technique": "MMC", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1546.015", "mitre_attack_technique": "Component Object Model Hijacking", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1027.005", "mitre_attack_technique": "Indicator Removal from Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT3", "Deep Panda", "GALLIUM", "OilRig", "Patchwork", "TEMP.Veles", "Turla"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1027.011", "mitre_attack_technique": "Fileless Storage", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "Turla"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Defense Evasion", "Discovery", "Execution", "Lateral Movement", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command And Control", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - Suspicious Powershell Command-Line Arguments - Rule", "ESCU - Any Powershell DownloadFile - Rule", "ESCU - Any Powershell DownloadString - Rule", "ESCU - Detect Certify With PowerShell Script Block Logging - Rule", "ESCU - Detect Empire with PowerShell Script Block Logging - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - GetLocalUser with PowerShell Script Block - Rule", "ESCU - GetWmiObject User Account with PowerShell Script Block - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Malicious PowerShell Process With Obfuscation Techniques - Rule", "ESCU - Possible Lateral Movement PowerShell Spawn - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - Powershell COM Hijacking InprocServer32 Modification - Rule", "ESCU - Powershell Creating Thread Mutex - Rule", "ESCU - PowerShell Domain Enumeration - Rule", "ESCU - PowerShell Enable PowerShell Remoting - Rule", "ESCU - Powershell Enable SMB1Protocol Feature - Rule", "ESCU - Powershell Execute COM Object - Rule", "ESCU - Powershell Fileless Process Injection via GetProcAddress - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - PowerShell Invoke CIMMethod CIMSession - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Powershell Processing Stream Of Data - Rule", "ESCU - PowerShell Script Block With URL Chain - Rule", "ESCU - Powershell Using memory As Backing Store - Rule", "ESCU - PowerShell WebRequest Using Memory Stream - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - ServicePrincipalNames Discovery with PowerShell - Rule", "ESCU - Set Default PowerShell Execution Policy To Unrestricted or Bypass - Rule", "ESCU - Unloading AMSI via Reflection - Rule", "ESCU - WMI Recon Running Process Or Services - Rule"], "investigation_names": ["ESCU - Get History Of Email Sources - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Suspicious Powershell Command-Line Arguments", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}]}}, {"name": "Any Powershell DownloadFile", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Detect Certify With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Detect Empire with PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "GetLocalUser with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "GetWmiObject User Account with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}}, {"name": "Malicious PowerShell Process With Obfuscation Techniques", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Possible Lateral Movement PowerShell Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Remote Management"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "MMC"}]}}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Powershell COM Hijacking InprocServer32 Modification", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Component Object Model Hijacking"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Creating Thread Mutex", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "Indicator Removal from Tools"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "PowerShell Domain Enumeration", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "PowerShell Enable PowerShell Remoting", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Powershell Enable SMB1Protocol Feature", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "Indicator Removal from Tools"}]}}, {"name": "Powershell Execute COM Object", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Component Object Model Hijacking"}, {"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Fileless Process Injection via GetProcAddress", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "PowerShell Invoke CIMMethod CIMSession", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Processing Stream Of Data", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "PowerShell Script Block With URL Chain", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Powershell Using memory As Backing Store", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "PowerShell WebRequest Using Memory Stream", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}, {"mitre_attack_technique": "Fileless Storage"}]}}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}]}}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "ServicePrincipalNames Discovery with PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "Set Default PowerShell Execution Policy To Unrestricted or Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Unloading AMSI via Reflection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "WMI Recon Running Process Or Services", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}]}}]}, {"name": "Masquerading - Rename System Utilities", "author": "Michael Haag, Splunk", "date": "2021-04-26", "version": 1, "id": "f0258af4-a6ae-11eb-b3c2-acde48001122", "description": "Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities.", "narrative": "Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename rundll32.exe). An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths.\\\nThe following content is here to assist with binaries within `system32` or `syswow64` being moved to a new location or an adversary bringing a the binary in to execute.\\\nThere will be false positives as some native Windows processes are moved or ran by third party applications from different paths. If file names are mismatched between the file name on disk and that of the binarys PE metadata, this is a likely indicator that a binary was renamed after it was compiled. Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity. Do not focus on the possible names a file could have, but instead on the command-line arguments that are known to be used and are distinct because it will have a better rate of detection.", "references": ["https://attack.mitre.org/techniques/T1036/003/"], "tags": {"name": "Masquerading - Rename System Utilities", "analytic_story": "Masquerading - Rename System Utilities", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TEMP.Veles", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1127.001", "mitre_attack_technique": "MSBuild", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}], "mitre_attack_tactics": ["Defense Evasion", "Impact"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"]}, "detection_names": ["ESCU - Execution of File With Spaces Before Extension - Rule", "ESCU - Suspicious Rundll32 Rename - Rule", "ESCU - Execution of File with Multiple Extensions - Rule", "ESCU - Sdelete Application Execution - Rule", "ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Execution of File With Spaces Before Extension", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Suspicious Rundll32 Rename", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rundll32"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Execution of File with Multiple Extensions", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Sdelete Application Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}, {"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Suspicious microsoft workflow compiler rename", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Suspicious msbuild path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}}, {"name": "Suspicious MSBuild Rename", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}}, {"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Windows DotNet Binary in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}}]}, {"name": "MetaSploit", "author": "Michael Haag, Splunk", "date": "2022-11-21", "version": 1, "id": "c149b694-bd08-4535-88d3-1f288a66313f", "description": "The following analytic story highlights content related directly to MetaSploit, which may be default configurations attributed to MetaSploit or behaviors of known knowns that are related.", "narrative": "The Metasploit framework is a very powerful tool which can be used by cybercriminals as well as ethical hackers to probe systematic vulnerabilities on networks and servers. Because it is an open-source framework, it can be easily customized and used with most operating systems.\\\nThe Metasploit Project was undertaken in 2003 by H.D. Moore for use as a Perl-based portable network tool, with assistance from core developer Matt Miller. It was fully converted to Ruby by 2007, and the license was acquired by Rapid7 in 2009, where it remains as part of the Boston-based company repertoire of IDS signature development and targeted remote exploit, fuzzing, anti-forensic, and evasion tools.\\\nPortions of these other tools reside within the Metasploit framework, which is built into the Kali Linux OS. Rapid7 has also developed two proprietary OpenCore tools, Metasploit Pro, Metasploit Express.\\\nThis framework has become the go-to exploit development and mitigation tool. Prior to Metasploit, pen testers had to perform all probes manually by using a variety of tools that may or may not have supported the platform they were testing, writing their own code by hand, and introducing it onto networks manually. Remote testing was virtually unheard of, and that limited a security specialist reach to the local area and companies spending a fortune on in-house IT or security consultants. (ref. Varonis)", "references": ["https://github.com/rapid7/metasploit-framework", "https://www.varonis.com/blog/what-is-metasploit"], "tags": {"name": "MetaSploit", "analytic_story": "MetaSploit", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Execution"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation"]}, "detection_names": ["ESCU - Powershell Load Module in Meterpreter - Rule", "ESCU - Windows Apache Benchmark Binary - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Powershell Load Module in Meterpreter", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Windows Apache Benchmark Binary", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}]}, {"name": "Meterpreter", "author": "Michael Hart", "date": "2021-06-08", "version": 1, "id": "d5f8e298-c85a-11eb-9fea-acde48001122", "description": "Meterpreter provides red teams, pen testers and threat actors interactive access to a compromised host to run commands, upload payloads, download files, and other actions.", "narrative": "This Analytic Story supports you to detect Tactics, Techniques and Procedures (TTPs) from Meterpreter. Meterpreter is a Metasploit payload for remote execution that leverages DLL injection to make it extremely difficult to detect.  Since the software runs in memory, no new processes are created upon injection.  It also leverages encrypted communication channels.\\\nMeterpreter enables the operator to remotely run commands on the target machine, upload payloads, download files, dump password hashes, and much more.  It is difficult to determine from the forensic evidence what actions the operator performed.  Splunk Research, however, has observed anomalous behaviors on the compromised hosts that seem to only appear when Meterpreter is executing various commands.  With that, we have written new detections targeted to these detections.\\\nWhile investigating a detection related to this analytic story, please bear in mind that the detections look for anomalies in system behavior.  It will be imperative to look for other signs in the endpoint and network logs for lateral movement, discovery and other actions to confirm that the host was compromised and a remote actor used it to progress on their objectives.", "references": ["https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/", "https://doubleoctopus.com/security-wiki/threats-and-tools/meterpreter/", "https://www.rapid7.com/products/metasploit/"], "tags": {"name": "Meterpreter", "analytic_story": "Meterpreter", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}], "mitre_attack_tactics": ["Execution"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Installation"]}, "detection_names": ["ESCU - Excessive distinct processes from Windows Temp - Rule", "ESCU - Excessive number of taskhost processes - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "no", "author_name": "Michael Hart", "detections": [{"name": "Excessive distinct processes from Windows Temp", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Excessive number of taskhost processes", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}]}, {"name": "Microsoft MSHTML Remote Code Execution CVE-2021-40444", "author": "Michael Haag, Splunk", "date": "2021-09-08", "version": 1, "id": "4ad4253e-10ca-11ec-8235-acde48001122", "description": "CVE-2021-40444 is a remote code execution vulnerability in MSHTML, recently used to delivery targeted spearphishing documents.", "narrative": "Microsoft is aware of targeted attacks that attempt to exploit this vulnerability, CVE-2021-40444 by using specially-crafted Microsoft Office documents. MSHTML is a software component used to render web pages on Windows. Although it is 2019s most commonly associated with Internet Explorer, it is also used in other software.  CVE-2021-40444 received a CVSS score of 8.8 out of 10. MSHTML is the beating heart of Internet Explorer, the vulnerability also exists in that browser. Although given its limited use, there is little risk of infection by that vector. Microsoft Office applications use the MSHTML component to display web content in Office documents. The attack depends on MSHTML loading a specially crafted ActiveX control when the target opens a malicious Office document. The loaded ActiveX control can then run arbitrary code to infect the system with more malware. At the moment all supported Windows versions are vulnerable. Since there is no patch available yet, Microsoft proposes a few methods to block these attacks. \\\n1. Disable the installation of all ActiveX controls in Internet Explorer via the registry. Previously-installed ActiveX controls will still run, but no new ones will be added, including malicious ones. Open documents from the Internet in Protected View or Application Guard for Office, both of which prevent the current attack. This is a default setting but it may have been changed.", "references": ["https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/windows-mshtml-zero-day-actively-exploited-mitigations-required/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", "https://www.echotrail.io/insights/search/control.exe"], "tags": {"name": "Microsoft MSHTML Remote Code Execution CVE-2021-40444", "analytic_story": "Microsoft MSHTML Remote Code Execution CVE-2021-40444", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.002", "mitre_attack_technique": "Control Panel", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Ember Bear"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}], "mitre_attack_tactics": ["Defense Evasion", "Initial Access"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Exploitation"]}, "detection_names": ["ESCU - Control Loading from World Writable Directory - Rule", "ESCU - MSHTML Module Load in Office Product - Rule", "ESCU - Office Product Writing cab or inf - Rule", "ESCU - Office Spawning Control - Rule", "ESCU - Rundll32 Control RunDLL Hunt - Rule", "ESCU - Rundll32 Control RunDLL World Writable Directory - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Control Loading from World Writable Directory", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Control Panel"}]}}, {"name": "MSHTML Module Load in Office Product", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Writing cab or inf", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Spawning Control", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Rundll32 Control RunDLL Hunt", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Rundll32 Control RunDLL World Writable Directory", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}]}, {"name": "Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357", "author": "Michael Haag, Gowthamaraj Rajendran, Splunk", "date": "2023-09-27", "version": 1, "id": "95ae800d-485e-47f7-866e-8be281aa497d", "description": "This analytic story focuses on the Microsoft SharePoint Server vulnerability CVE-2023-29357, which allows for an elevation of privilege due to improper handling of authentication tokens. Exploitation of this vulnerability could lead to a serious security breach where an attacker might gain privileged access to the SharePoint environment, potentially leading to data theft or other malicious activities. This story is associated with the detection `Microsoft SharePoint Server Elevation of Privilege` which identifies attempts to exploit this vulnerability.", "narrative": "Microsoft SharePoint Server is a widely used web-based collaborative platform. The vulnerability CVE-2023-29357 exposes a flaw in the handling of authentication tokens, allowing an attacker to escalate privileges and gain unauthorized access to the SharePoint environment. This could potentially lead to data theft, unauthorized system modifications, or other malicious activities. Organizations are urged to apply immediate patches and conduct regular system assessments to ensure security.", "references": ["https://socradar.io/microsoft-sharepoint-server-elevation-of-privilege-vulnerability-exploit-cve-2023-29357/", "https://github.com/Chocapikk/CVE-2023-29357"], "tags": {"name": "Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357", "analytic_story": "Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357", "category": ["Vulnerability", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Privilege Escalation"], "datamodels": ["Web"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Microsoft SharePoint Server Elevation of Privilege - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Gowthamaraj Rajendran, Splunk", "author_name": "Michael Haag", "detections": [{"name": "Microsoft SharePoint Server Elevation of Privilege", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}]}, {"name": "Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190", "author": "Michael Haag, Teoderick Contreras, Splunk", "date": "2022-05-31", "version": 1, "id": "2a60a99e-c93a-4036-af70-768fac838019", "description": "On Monday May 30, 2022, Microsoft issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability.", "narrative": "A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user''s rights.", "references": ["https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/", "https://isc.sans.edu/diary/rss/28694", "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", "https://twitter.com/nao_sec/status/1530196847679401984?s=20&t=ZiXYI4dQuA-0_dzQzSUb3A", "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://www.virustotal.com/gui/file/4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784/detection", "https://strontic.github.io/xcyclopedia/library/msdt.exe-152D4C9F63EFB332CCB134C6953C0104.html"], "tags": {"name": "Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190", "analytic_story": "Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Initial Access"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Windows Command and Scripting Interpreter Hunting Path Traversal - Rule", "ESCU - Windows Command and Scripting Interpreter Path Traversal Exec - Rule", "ESCU - Windows Execute Arbitrary Commands with MSDT - Rule", "ESCU - Windows Office Product Spawning MSDT - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Teoderick Contreras, Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Command and Scripting Interpreter Hunting Path Traversal", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows Command and Scripting Interpreter Path Traversal Exec", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows Execute Arbitrary Commands with MSDT", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Windows Office Product Spawning MSDT", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}]}, {"name": "Monitor for Updates", "author": "Rico Valdez, Splunk", "date": "2017-09-15", "version": 1, "id": "9ef8d677-7b52-4213-a038-99cfc7acc2d8", "description": "Monitor your enterprise to ensure that your endpoints are being patched and updated. Adversaries notoriously exploit known vulnerabilities that could be mitigated by applying routine security patches.", "narrative": "It is a common best practice to ensure that endpoints are being patched and updated in a timely manner, in order to reduce the risk of compromise via a publicly disclosed vulnerability. Timely application of updates/patches is important to eliminate known vulnerabilities that may be exploited by various threat actors.\\\nSearches in this analytic story are designed to help analysts monitor endpoints for system patches and/or updates. This helps analysts identify any systems that are not successfully updated in a timely matter.\\\nMicrosoft releases updates for Windows systems on a monthly cadence. They should be installed as soon as possible after following internal testing and validation procedures. Patches and updates for other systems or applications are typically released as needed.", "references": ["https://learn.cisecurity.org/20-controls-download"], "tags": {"name": "Monitor for Updates", "analytic_story": "Monitor for Updates", "category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Compliance", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Updates"], "kill_chain_phases": []}, "detection_names": ["ESCU - No Windows Updates in a time frame - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": ["ESCU - Windows Updates Install Failures", "ESCU - Windows Updates Install Successes"], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "No Windows Updates in a time frame", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "MOVEit Transfer Critical Vulnerability", "author": "Michael Haag, Splunk", "date": "2023-06-01", "version": 1, "id": "e8c05f9b-6ad4-45ac-8f5d-ff044da417c9", "description": "A critical zero-day vulnerability has been discovered in the MOVEit Transfer file transfer software, widely used by businesses and developers worldwide. The vulnerability has been exploited by unknown threat actors to perform mass data theft from organizations. Progress Software Corporation, the developer of MOVEit, has issued a security advisory urging customers to take immediate action to protect their environments. They recommend blocking external traffic to ports 80 and 445 on the MOVEit server, and to check the c:\\MOVEitTransfer\\wwwroot\\ folder for unusual files. A patch is currently released.", "narrative": "Hackers have been actively exploiting a zero-day vulnerability found in the MOVEit Transfer software. This software, developed by Progress Software Corporation, a US-based company and its subsidiary Ipswitch, is a managed file transfer solution. It is used by thousands of organizations worldwide, including Chase, Disney, GEICO, and MLB, and by 3.5 million developers. The software allows for secure file transfers between business partners and customers using SFTP, SCP, and HTTP-based uploads.\\\nThe zero-day vulnerability has been exploited to steal data on a large scale from various organizations. The identity of the threat actors and the exact timeline of the exploitation remains unclear. However, it has been confirmed that multiple organizations have experienced breaches and data theft.\\\nIn response to this critical situation, Progress released a security advisory warning customers of the vulnerability and providing mitigation strategies while a patch has been released. They urged customers to take immediate action to protect their MOVEit environments. They suggested blocking external traffic to ports 80 and 445 on the MOVEit server and checking the c:\\MOVEitTransfer\\wwwroot\\ folder for unexpected files, including backups or large file downloads.\\\nBlocking these ports will prevent external access to the web UI, prevent some MOVEit Automation tasks from working, block APIs, and prevent the Outlook MOVEit plugin from working. However, SFTP and FTP/s protocols can continue to be used for file transfers.\\\nThere is currently no detailed information about the zero-day vulnerability. But based on the ports blocked and the specific location to check for unusual files, the flaw is likely a web-facing vulnerability.\\\nWhile Progress has officially confirmed that the vulnerability is being actively exploited, it is clear from several reports that multiple organizations have already had data stolen using this zero-day vulnerability. The exploitation appears very similar to the mass exploitation of a GoAnywhere MFT zero-day in January 2023 and the December 2020 zero-day exploitation of Accellion FTA servers. These were both managed file transfer platforms heavily exploited by the Clop ransomware gang to steal data and extort organizations.", "references": ["https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023", "https://www.reddit.com/r/sysadmin/comments/13wxuej/critical_vulnerability_moveit_file_transfer/", "https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/", "https://www.reddit.com/r/sysadmin/comments/13wxuej/critical_vulnerability_moveit_file_transfer/", "https://gist.github.com/MHaggis/faa672b1929a23fc48fc0ee47585cc48"], "tags": {"name": "MOVEit Transfer Critical Vulnerability", "analytic_story": "MOVEit Transfer Critical Vulnerability", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}], "mitre_attack_tactics": ["Initial Access", "Persistence"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Installation"]}, "detection_names": ["ESCU - Windows MOVEit Transfer Writing ASPX - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows MOVEit Transfer Writing ASPX", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}]}, {"name": "Netsh Abuse", "author": "Bhavin Patel, Splunk", "date": "2017-01-05", "version": 1, "id": "2b1800dd-92f9-47ec-a981-fdf1351e5f65", "description": "Detect activities and various techniques associated with the abuse of `netsh.exe`, which can disable local firewall settings or set up a remote connection to a host from an infected system.", "narrative": "It is a common practice for attackers of all types to leverage native Windows tools and functionality to execute commands for malicious reasons. One such tool on Windows OS is `netsh.exe`,a command-line scripting utility that allows you to--either locally or remotely--display or modify the network configuration of a computer that is currently running. `Netsh.exe` can be used to discover and disable local firewall settings. It can also be used to set up a remote connection to a host from an infected system.\\\nTo get started, run the detection search to identify parent processes of `netsh.exe`.", "references": ["https://docs.microsoft.com/en-us/previous-versions/tn-archive/bb490939(v=technet.10)", "https://htmlpreview.github.io/?https://github.com/MatthewDemaske/blogbackup/blob/master/netshell.html", "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html"], "tags": {"name": "Netsh Abuse", "analytic_story": "Netsh Abuse", "category": ["Abuse"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}], "mitre_attack_tactics": ["Defense Evasion", "Discovery", "Execution", "Impact"], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Processes created by netsh - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": ["ESCU - Baseline of SMB Traffic - MLTK", "ESCU - Previously seen command line arguments"], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Processes created by netsh", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify System Firewall"}]}}, {"name": "Processes launching netsh", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "System Network Connections Discovery"}, {"mitre_attack_technique": "System Owner/User Discovery"}, {"mitre_attack_technique": "System Shutdown/Reboot"}, {"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}]}, {"name": "Network Discovery", "author": "Teoderick Contreras, Splunk", "date": "2022-02-14", "version": 1, "id": "af228995-f182-49d7-90b3-2a732944f00f", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the network discovery, including looking for network configuration, settings such as IP, MAC address, firewall settings and many more.", "narrative": "Adversaries may use the information from System Network Configuration Discovery during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next.", "references": ["https://attack.mitre.org/techniques/T1016/", "https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf", "https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/"], "tags": {"name": "Network Discovery", "analytic_story": "Network Discovery", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}], "mitre_attack_tactics": ["Discovery"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Linux System Network Discovery - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Linux System Network Discovery", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Configuration Discovery"}]}}]}, {"name": "NjRAT", "author": "Teoderick Contreras, Splunk", "date": "2023-09-07", "version": 2, "id": "f6d52454-6cf3-4759-9627-5868a3e2b2b1", "description": "NjRat is a notorious remote access trojan (RAT) predominantly wielded by malicious operators to infiltrate and wield remote control over compromised systems. This analytical story harnesses targeted search methodologies to uncover and investigate activities that could be indicative of NjRAT's presence. These activities include tracking file write operations for dropped files, scrutinizing registry modifications aimed at establishing persistence mechanisms, monitoring suspicious processes, self-deletion behaviors, browser credential parsing, firewall configuration alterations, spread itself via removable drive and an array of other potentially malicious actions.", "narrative": "NjRat is also known as Bladabindi malware that was first discovered in the wild in 2012. Since then this malware remain active and uses different campaign to spred its malware. While its primary infection vectors are phishing attacks and drive-by downloads, it also has \"worm\" capability to spread itself via infected removable drives. This RAT has various of capabilities including keylogging, webcam access, browser credential parsing, file upload and downloads, file and process list, service list, shell command execution, registry modification, screen capture, view the desktop of the infected computer and many more. NjRat does not target any industry in particular, but attacking a wide variety of individuals and organizations to gather sensitive information.", "references": ["https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/what-is-njrat-malware/#:~:text=NJRat%20%E2%80%94%20also%20known%20as%20Bladabindi,malware%20variant%20in%20March%202023.", "https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat"], "tags": {"name": "NjRAT", "analytic_story": "NjRAT", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1562.007", "mitre_attack_technique": "Disable or Modify Cloud Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1102", "mitre_attack_technique": "Web Service", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT32", "EXOTIC LILY", "Ember Bear", "FIN6", "FIN8", "Fox Kitten", "Gamaredon Group", "Inception", "LazyScripter", "Mustang Panda", "Rocke", "TeamTNT", "Turla"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}, {"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "Volt Typhoon", "ZIRCONIUM"]}, {"mitre_attack_id": "T1129", "mitre_attack_technique": "Shared Modules", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1027.011", "mitre_attack_technique": "Fileless Storage", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "Turla"]}, {"mitre_attack_id": "T1561.002", "mitre_attack_technique": "Disk Structure Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1561", "mitre_attack_technique": "Disk Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1091", "mitre_attack_technique": "Replication Through Removable Media", "mitre_attack_tactics": ["Initial Access", "Lateral Movement"], "mitre_attack_groups": ["APT28", "Aoqin Dragon", "Darkhotel", "FIN7", "LuminousMoth", "Mustang Panda", "Tropic Trooper"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1497", "mitre_attack_technique": "Virtualization/Sandbox Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": ["Darkhotel"]}, {"mitre_attack_id": "T1497.003", "mitre_attack_technique": "Time Based Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1134.004", "mitre_attack_technique": "Parent PID Spoofing", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Defense Evasion", "Discovery", "Execution", "Impact", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule", "ESCU - Allow Network Discovery In Firewall - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Disable Registry Tool - Rule", "ESCU - Disabling CMD Application - Rule", "ESCU - Disabling SystemRestore In Registry - Rule", "ESCU - Disabling Task Manager - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Firewall Allowed Program Enable - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Application Spawn rundll32 process - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Document Spawned Child Process To Download - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning MSHTA - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Windows Abused Web Services - Rule", "ESCU - Windows Admin Permission Discovery - Rule", "ESCU - Windows Boot or Logon Autostart Execution In Startup Folder - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows Delete or Modify System Firewall - Rule", "ESCU - Windows Disable or Modify Tools Via Taskkill - Rule", "ESCU - Windows Executable in Loaded Modules - Rule", "ESCU - Windows Njrat Fileless Storage via Registry - Rule", "ESCU - Windows Modify Registry With MD5 Reg Key Name - Rule", "ESCU - Windows Modify System Firewall with Notable Process Path - Rule", "ESCU - Windows Raw Access To Disk Volume Partition - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Windows Replication Through Removable Media - Rule", "ESCU - Windows System LogOff Commandline - Rule", "ESCU - Windows System Reboot CommandLine - Rule", "ESCU - Windows System Shutdown CommandLine - Rule", "ESCU - Windows Time Based Evasion - Rule", "ESCU - Windows Unsigned DLL Side-Loading - Rule", "ESCU - Windows User Execution Malicious URL Shortcut File - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Allow Inbound Traffic By Firewall Rule Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "Allow Network Discovery In Firewall", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Disable Registry Tool", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Disabling CMD Application", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Disabling SystemRestore In Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Disabling Task Manager", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Excessive Usage Of Taskkill", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Firewall Allowed Program Enable", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}}, {"name": "Office Application Spawn rundll32 process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Document Spawned Child Process To Download", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning MSHTA", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Windows Abused Web Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Web Service"}]}}, {"name": "Windows Admin Permission Discovery", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Local Groups"}]}}, {"name": "Windows Boot or Logon Autostart Execution In Startup Folder", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows Delete or Modify System Firewall", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Disable or Modify System Firewall"}]}}, {"name": "Windows Disable or Modify Tools Via Taskkill", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Disable or Modify Tools"}]}}, {"name": "Windows Executable in Loaded Modules", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Shared Modules"}]}}, {"name": "Windows Njrat Fileless Storage via Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Fileless Storage"}, {"mitre_attack_technique": "Obfuscated Files or Information"}]}}, {"name": "Windows Modify Registry With MD5 Reg Key Name", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify System Firewall with Notable Process Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Raw Access To Disk Volume Partition", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}}, {"name": "Windows Replication Through Removable Media", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Replication Through Removable Media"}]}}, {"name": "Windows System LogOff Commandline", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}}, {"name": "Windows System Reboot CommandLine", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}}, {"name": "Windows System Shutdown CommandLine", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}}, {"name": "Windows Time Based Evasion", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Virtualization/Sandbox Evasion"}, {"mitre_attack_technique": "Time Based Evasion"}]}}, {"name": "Windows Unsigned DLL Side-Loading", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Side-Loading"}]}}, {"name": "Windows User Execution Malicious URL Shortcut File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Malicious File"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "Wscript Or Cscript Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Parent PID Spoofing"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}]}, {"name": "NOBELIUM Group", "author": "Patrick Bareiss, Michael Haag, Splunk", "date": "2020-12-14", "version": 2, "id": "758196b5-2e21-424f-a50c-6e421ce926c2", "description": "Sunburst is a trojanized updates to SolarWinds Orion IT monitoring and management software. It was discovered by FireEye in December 2020. The actors behind this campaign gained access to numerous public and private organizations around the world.", "narrative": "This Analytic Story supports you to detect Tactics, Techniques and Procedures (TTPs) of the NOBELIUM Group. The threat actor behind sunburst compromised the SolarWinds.Orion.Core.BusinessLayer.dll, is a SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that communicates via HTTP to third party servers. The detections in this Analytic Story are focusing on the dll loading events, file create events and network events to detect This malware.", "references": ["https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/", "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/"], "tags": {"name": "NOBELIUM Group", "analytic_story": "NOBELIUM Group", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN13", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA2541", "TA551"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1203", "mitre_attack_technique": "Exploitation for Client Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT12", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT41", "Andariel", "Aoqin Dragon", "Axiom", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "Higaisa", "Inception", "Lazarus Group", "Leviathan", "MuddyWater", "Mustang Panda", "Patchwork", "Sandworm Team", "Sidewinder", "TA459", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "admin@338"]}, {"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1071.002", "mitre_attack_technique": "File Transfer Protocols", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Dragonfly", "Kimsuky", "SilverTerrier"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Magic Hound", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "MoustachedBouncer", "POLONIUM", "Sandworm Team", "Turla", "Volt Typhoon", "Windigo"]}, {"mitre_attack_id": "T1090.003", "mitre_attack_technique": "Multi-hop Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT28", "APT29", "FIN4", "Inception", "Leviathan"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}], "mitre_attack_tactics": ["Collection", "Command And Control", "Defense Evasion", "Discovery", "Execution", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Network_Traffic", "Web"], "kill_chain_phases": ["Command And Control", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Anomalous usage of 7zip - Rule", "ESCU - Detect Prohibited Applications Spawning cmd exe - Rule", "ESCU - Detect Rundll32 Inline HTA Execution - Rule", "ESCU - First Time Seen Running Windows Service - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Sunburst Correlation DLL and Network Event - Rule", "ESCU - Windows AdFind Exe - Rule", "ESCU - Detect Outbound SMB Traffic - Rule", "ESCU - TOR Traffic - Rule", "ESCU - Supernova Webshell - Rule"], "investigation_names": [], "baseline_names": ["ESCU - Previously Seen Running Windows Services - Initial", "ESCU - Previously Seen Running Windows Services - Update"], "author_company": "Michael Haag, Splunk", "author_name": "Patrick Bareiss", "detections": [{"name": "Anomalous usage of 7zip", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}}, {"name": "Detect Prohibited Applications Spawning cmd exe", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}]}}, {"name": "Detect Rundll32 Inline HTA Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}, {"name": "First Time Seen Running Windows Service", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Sunburst Correlation DLL and Network Event", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Client Execution"}]}}, {"name": "Windows AdFind Exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Detect Outbound SMB Traffic", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File Transfer Protocols"}, {"mitre_attack_technique": "Application Layer Protocol"}]}}, {"name": "TOR Traffic", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Multi-hop Proxy"}]}}, {"name": "Supernova Webshell", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "External Remote Services"}]}}]}, {"name": "Office 365 Account Takeover", "author": "Mauricio Velazco, Patrick Bareiss, Splunk", "date": "2023-10-17", "version": 1, "id": "7dcea963-af44-4db7-a5b9-fd2b543d9bc9", "description": "Monitor for activities and anomalies indicative of initial access techniques within Office 365 environments.", "narrative": "Office 365 (O365) is Microsoft's cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. O365's centralized storage of sensitive data and widespread adoption make it a key asset, yet also a prime target for security threats. The \"Office 365 Account Takeover\" analytic story focuses on the initial techniques attackers employ to breach or compromise these identities. Initial access, in this context, consists of techniques that use various entry vectors to gain their initial foothold . Identifying these early indicators is crucial for establishing the first line of defense against unauthorized access and potential security incidents within O365 environments.", "references": ["https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes", "https://attack.mitre.org/tactics/TA0001/", "https://stealthbits.com/blog/bypassing-mfa-with-pass-the-cookie/", "https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth", "https://www.alteredsecurity.com/post/introduction-to-365-stealer", "https://github.com/AlteredSecurity/365-Stealer"], "tags": {"name": "Office 365 Account Takeover", "analytic_story": "Office 365 Account Takeover", "category": ["Adversary Tactics", "Account Compromise", "Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110.001", "mitre_attack_technique": "Password Guessing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1185", "mitre_attack_technique": "Browser Session Hijacking", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1528", "mitre_attack_technique": "Steal Application Access Token", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$", "Scattered Spider"]}], "mitre_attack_tactics": ["Collection", "Credential Access", "Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation", "Resource Development"], "datamodels": ["Authentication", "Risk"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"]}, "detection_names": ["ESCU - High Number of Login Failures from a single source - Rule", "ESCU - O365 Block User Consent For Risky Apps Disabled - Rule", "ESCU - O365 Concurrent Sessions From Different Ips - Rule", "ESCU - O365 Excessive Authentication Failures Alert - Rule", "ESCU - O365 Excessive SSO logon errors - Rule", "ESCU - O365 File Permissioned Application Consent Granted by User - Rule", "ESCU - O365 High Number Of Failed Authentications for User - Rule", "ESCU - O365 Mail Permissioned Application Consent Granted by User - Rule", "ESCU - O365 Multi-Source Failed Authentications Spike - Rule", "ESCU - O365 Multiple AppIDs and UserAgents Authentication Spike - Rule", "ESCU - O365 Multiple Failed MFA Requests For User - Rule", "ESCU - O365 Multiple Users Failing To Authenticate From Ip - Rule", "ESCU - O365 User Consent Blocked for Risky Application - Rule", "ESCU - O365 User Consent Denied for OAuth Application - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Patrick Bareiss, Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "High Number of Login Failures from a single source", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Guessing"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "O365 Block User Consent For Risky Apps Disabled", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "O365 Concurrent Sessions From Different Ips", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Browser Session Hijacking"}]}}, {"name": "O365 Excessive Authentication Failures Alert", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}]}}, {"name": "O365 Excessive SSO logon errors", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Authentication Process"}]}}, {"name": "O365 File Permissioned Application Consent Granted by User", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal Application Access Token"}]}}, {"name": "O365 High Number Of Failed Authentications for User", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Guessing"}]}}, {"name": "O365 Mail Permissioned Application Consent Granted by User", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal Application Access Token"}]}}, {"name": "O365 Multi-Source Failed Authentications Spike", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}}, {"name": "O365 Multiple AppIDs and UserAgents Authentication Spike", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "O365 Multiple Failed MFA Requests For User", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}}, {"name": "O365 Multiple Users Failing To Authenticate From Ip", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Brute Force"}, {"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Credential Stuffing"}]}}, {"name": "O365 User Consent Blocked for Risky Application", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal Application Access Token"}]}}, {"name": "O365 User Consent Denied for OAuth Application", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal Application Access Token"}]}}]}, {"name": "Office 365 Persistence Mechanisms", "author": "Mauricio Velazco, Patrick Bareiss, Splunk", "date": "2023-10-17", "version": 1, "id": "d230a106-0475-4605-a8d8-abaf4c31ced7", "description": "Monitor for activities and anomalies indicative of potential persistence techniques within Office 365 environments.", "narrative": "Office 365 (O365) is Microsoft's cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. O365's centralized storage of sensitive data and widespread adoption make it a key asset, yet also a prime target for security threats. The \"Office 365 Persistence Mechanisms\" analytic story delves into the tactics and techniques attackers employ to maintain prolonged unauthorized access within the O365 environment. Persistence in this context refers to methods used by adversaries to keep their foothold after an initial compromise. This can involve actions like modifying mailbox rules, establishing covert forwarding rules, manipulating application permissions. By monitoring signs of persistence, organizations can effectively detect and respond to stealthy threats, thereby protecting their O365 assets and data.", "references": ["https://attack.mitre.org/tactics/TA0003/", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://www.cisa.gov/uscert/ncas/alerts/aa21-008a", "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", "https://blog.sygnia.co/detection-and-hunting-of-golden-saml-attack?hsLang=en", "https://www.mandiant.com/sites/default/files/2022-08/remediation-hardening-strategies-for-m365-defend-against-apt29-white-paper.pdf", "https://www.csoonline.com/article/570381/microsoft-365-advanced-audit-what-you-need-to-know.html", "https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/overview-assign-app-owners", "https://i.blackhat.com/USA-20/Thursday/us-20-Bienstock-My-Cloud-Is-APTs-Cloud-Investigating-And-Defending-Office-365.pdf"], "tags": {"name": "Office 365 Persistence Mechanisms", "analytic_story": "Office 365 Persistence Mechanisms", "category": ["Adversary Tactics", "Account Compromise", "Cloud Security", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1136.003", "mitre_attack_technique": "Cloud Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT29", "LAPSUS$"]}, {"mitre_attack_id": "T1136", "mitre_attack_technique": "Create Account", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["Indrik Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1562.008", "mitre_attack_technique": "Disable or Modify Cloud Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1098.002", "mitre_attack_technique": "Additional Email Delegate Permissions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "Magic Hound"]}, {"mitre_attack_id": "T1562.007", "mitre_attack_technique": "Disable or Modify Cloud Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1098.003", "mitre_attack_technique": "Additional Cloud Roles", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1114", "mitre_attack_technique": "Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Magic Hound", "Silent Librarian"]}, {"mitre_attack_id": "T1114.002", "mitre_attack_technique": "Remote Email Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "Chimera", "Dragonfly", "FIN4", "HAFNIUM", "Ke3chang", "Kimsuky", "Leafminer", "Magic Hound"]}, {"mitre_attack_id": "T1098.005", "mitre_attack_technique": "Device Registration", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1098.001", "mitre_attack_technique": "Additional Cloud Credentials", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1114.003", "mitre_attack_technique": "Email Forwarding Rule", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Kimsuky", "LAPSUS$", "Silent Librarian"]}], "mitre_attack_tactics": ["Collection", "Credential Access", "Defense Evasion", "Persistence", "Privilege Escalation"], "datamodels": ["Authentication", "Change"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - O365 Add App Role Assignment Grant User - Rule", "ESCU - O365 Added Service Principal - Rule", "ESCU - O365 Advanced Audit Disabled - Rule", "ESCU - O365 Application Registration Owner Added - Rule", "ESCU - O365 ApplicationImpersonation Role Assigned - Rule", "ESCU - O365 Bypass MFA via Trusted IP - Rule", "ESCU - O365 Disable MFA - Rule", "ESCU - O365 High Privilege Role Granted - Rule", "ESCU - O365 Mailbox Inbox Folder Shared with All Users - Rule", "ESCU - O365 Mailbox Read Access Granted to Application - Rule", "ESCU - O365 New Federated Domain Added - Rule", "ESCU - O365 New MFA Method Registered - Rule", "ESCU - O365 PST export alert - Rule", "ESCU - O365 Service Principal New Client Credentials - Rule", "ESCU - O365 Suspicious Admin Email Forwarding - Rule", "ESCU - O365 Suspicious Rights Delegation - Rule", "ESCU - O365 Suspicious User Email Forwarding - Rule", "ESCU - O365 Tenant Wide Admin Consent Granted - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Patrick Bareiss, Splunk", "author_name": "Mauricio Velazco", "detections": [{"name": "O365 Add App Role Assignment Grant User", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "O365 Added Service Principal", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "O365 Advanced Audit Disabled", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Disable or Modify Cloud Logs"}]}}, {"name": "O365 Application Registration Owner Added", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "O365 ApplicationImpersonation Role Assigned", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Email Delegate Permissions"}]}}, {"name": "O365 Bypass MFA via Trusted IP", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "O365 Disable MFA", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Authentication Process"}]}}, {"name": "O365 High Privilege Role Granted", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}}, {"name": "O365 Mailbox Inbox Folder Shared with All Users", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Email Collection"}, {"mitre_attack_technique": "Remote Email Collection"}]}}, {"name": "O365 Mailbox Read Access Granted to Application", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Email Collection"}, {"mitre_attack_technique": "Email Collection"}, {"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}}, {"name": "O365 New Federated Domain Added", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Account"}, {"mitre_attack_technique": "Create Account"}]}}, {"name": "O365 New MFA Method Registered", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Device Registration"}]}}, {"name": "O365 PST export alert", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Email Collection"}]}}, {"name": "O365 Service Principal New Client Credentials", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Credentials"}]}}, {"name": "O365 Suspicious Admin Email Forwarding", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Email Forwarding Rule"}, {"mitre_attack_technique": "Email Collection"}]}}, {"name": "O365 Suspicious Rights Delegation", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Email Collection"}, {"mitre_attack_technique": "Email Collection"}, {"mitre_attack_technique": "Additional Email Delegate Permissions"}, {"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "O365 Suspicious User Email Forwarding", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Email Forwarding Rule"}, {"mitre_attack_technique": "Email Collection"}]}}, {"name": "O365 Tenant Wide Admin Consent Granted", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}, {"mitre_attack_technique": "Additional Cloud Roles"}]}}]}, {"name": "Okta MFA Exhaustion", "author": "Michael Haag, Splunk", "date": "2022-09-27", "version": 1, "id": "7c6e508d-4b4d-42c8-82de-5ff4ea3b0cb3", "description": "A social engineering technique called 'MFA Fatigue', aka 'MFA push spam' or 'MFA Exhaustion', is growing more popular with threat actors as it does not require malware or phishing infrastructure and has proven to be successful in attacks.", "narrative": "An MFA Fatigue attack is when a threat actor runs a script that attempts to log in with stolen credentials over and over, causing what feels like an endless stream of MFA push requests to be sent to the account's owner's mobile device. The goal is to keep this up, day and night, to break down the target's cybersecurity posture and inflict a sense of \"fatigue\" regarding these MFA prompts.", "references": ["https://www.bleepingcomputer.com/news/security/mfa-fatigue-hackers-new-favorite-tactic-in-high-profile-breaches/", "https://www.csoonline.com/article/3674156/multi-factor-authentication-fatigue-attacks-are-on-the-rise-how-to-defend-against-them.html"], "tags": {"name": "Okta MFA Exhaustion", "analytic_story": "Okta MFA Exhaustion", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Authentication", "Risk"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Okta Account Locked Out - Rule", "ESCU - Okta MFA Exhaustion Hunt - Rule", "ESCU - Okta Mismatch Between Source and Response for Verify Push Request - Rule", "ESCU - Okta Risk Threshold Exceeded - Rule", "ESCU - Okta Two or More Rejected Okta Pushes - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Okta Account Locked Out", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}]}}, {"name": "Okta MFA Exhaustion Hunt", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}]}}, {"name": "Okta Mismatch Between Source and Response for Verify Push Request", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}}, {"name": "Okta Risk Threshold Exceeded", "source": "application", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Okta Two or More Rejected Okta Pushes", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}]}}]}, {"name": "OpenSSL CVE-2022-3602", "author": "Michael Haag, splunk", "date": "2022-11-02", "version": 1, "id": "491e00c9-998b-4c64-91bb-d8f9c79c1f4c", "description": "OpenSSL recently disclosed two vulnerabilities CVE-2022-3602 and CVE-2022-3786. CVE-2022-3602 is a X.509 Email Address 4-byte Buffer Overflow where puny code is utilized. This only affects OpenSSL 3.0.0 - 3.0.6.", "narrative": "A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the . character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. Users of OpenSSL 3.0.0 - 3.0.6 are encouraged to upgrade to 3.0.7 as soon as possible. If you obtain your copy of OpenSSL from your Operating System vendor or other third party then you should seek to obtain an updated version from them as soon as possible. SSL Certificates with Punycode will identify SSL certificates with Punycode. Note that it does not mean it will capture malicious payloads. If using Zeek, modify the Zeek x509 certificate with punycode to match your environment. We found during this exercise that the FULL x509 with SAN must be captured and stored, decoded, in order to query against it.", "references": ["https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/", "https://github.com/advisories/GHSA-h8jm-2x53-xhp5", "https://community.emergingthreats.net/t/out-of-band-ruleset-update-summary-2022-11-01/117", "https://github.com/corelight/CVE-2022-3602/tree/master/scripts"], "tags": {"name": "OpenSSL CVE-2022-3602", "analytic_story": "OpenSSL CVE-2022-3602", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1573", "mitre_attack_technique": "Encrypted Channel", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT29", "BITTER", "Magic Hound", "Tropic Trooper"]}], "mitre_attack_tactics": ["Command And Control"], "datamodels": [], "kill_chain_phases": ["Command And Control"]}, "detection_names": ["ESCU - SSL Certificates with Punycode - Rule", "ESCU - Zeek x509 Certificate with Punycode - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "splunk", "author_name": "Michael Haag", "detections": [{"name": "SSL Certificates with Punycode", "source": "network", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Encrypted Channel"}]}}, {"name": "Zeek x509 Certificate with Punycode", "source": "network", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Encrypted Channel"}]}}]}, {"name": "Orangeworm Attack Group", "author": "David Dorsey, Splunk", "date": "2020-01-22", "version": 2, "id": "bb9f5ed2-916e-4364-bb6d-97c370efcf52", "description": "Detect activities and various techniques associated with the Orangeworm Attack Group, a group that frequently targets the healthcare industry.", "narrative": "In May of 2018, the attack group Orangeworm was implicated for installing a custom backdoor called Trojan.Kwampirs within large international healthcare corporations in the United States, Europe, and Asia. This malware provides the attackers with remote access to the target system, decrypting and extracting a copy of its main DLL payload from its resource section. Before writing the payload to disk, it inserts a randomly generated string into the middle of the decrypted payload in an attempt to evade hash-based detections.\\\nAwareness of the Orangeworm group first surfaced in January, 2015. It has conducted targeted attacks against related industries, as well, such as pharmaceuticals and healthcare IT solution providers.\\\nHealthcare may be a promising target, because it is notoriously behind in technology, often using older operating systems and neglecting to patch computers. Even so, the group was able to evade detection for a full three years. Sources say that the malware spread quickly within the target networks, infecting computers used to control medical devices, such as MRI and X-ray machines.\\\nThis Analytic Story is designed to help you detect and investigate suspicious activities that may be indicative of an Orangeworm attack. One detection search looks for command-line arguments. Another monitors for uses of sc.exe, a non-essential Windows file that can manipulate Windows services. One of the investigative searches helps you get more information on web hosts that you suspect have been compromised.", "references": ["https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia", "https://www.infosecurity-magazine.com/news/healthcare-targeted-by-hacker/"], "tags": {"name": "Orangeworm Attack Group", "analytic_story": "Orangeworm Attack Group", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - First time seen command line argument - Rule", "ESCU - First Time Seen Running Windows Service - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule"], "investigation_names": ["ESCU - Get History Of Email Sources - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": ["ESCU - Previously seen command line arguments", "ESCU - Previously Seen Running Windows Services - Initial", "ESCU - Previously Seen Running Windows Services - Update"], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "First time seen command line argument", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Windows Command Shell"}]}}, {"name": "First Time Seen Running Windows Service", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}]}, {"name": "PaperCut MF NG Vulnerability", "author": "Michael Haag, Splunk", "date": "2023-05-15", "version": 1, "id": "2493d270-5665-4fb4-99c7-8f886f260676", "description": "The FBI has issued a joint advisory concerning the exploitation of a PaperCut MF/NG vulnerability (CVE-2023-27350) by malicious actors, which began in mid-April 2023 and has been ongoing. In early May 2023, a group identifying themselves as the Bl00dy Ransomware Gang targeted vulnerable PaperCut servers within the Education Facilities Subsector. The advisory provides information on detecting exploitation attempts and shares known indicators of compromise (IOCs) associated with the group's activities.", "narrative": "PaperCut MF/NG versions 19 and older have reached their end-of-life, as documented on the End of Life Policy page. Customers using these older versions are advised to purchase an updated license online for PaperCut NG or through their PaperCut Partner for PaperCut MF. For users with a currently supported version (version 20 or later), they can upgrade to any maintenance release version they are licensed for.\\ If upgrading to a security patch is not possible, there are alternative options to enhance security. Users can lock down network access to their server(s) by blocking all inbound traffic from external IPs to the web management port (port 9191 and 9192 by default) and blocking all inbound traffic to the web management portal on the firewall to the server. Additionally, users can apply \"Allow list\" restrictions under Options > Advanced > Security > Allowed site server IP addresses, setting this to only allow the IP addresses of verified Site Servers on their network.\\\nThe vulnerabilities CVE-2023-27350 and CVE-2023-27351 have CVSS scores of 9.8 (Critical) and 8.2 (High), respectively. PaperCut and its partner network have activated response teams to assist PaperCut MF and NG customers, with service desks available 24/7 via their support page. The security response team at PaperCut has been working with external security advisors to compile a list of unpatched PaperCut MF/NG servers that have ports open on the public internet. They have been proactively reaching out to potentially exposed customers since Wednesday afternoon (AEST) and are working around the clock through the weekend.\\\nThe exploit was first detected in the wild on April 18th, 2023, at 03:30 AEST / April 17th, 2023, at 17:30 UTC. The earliest signature of suspicious activity on a customer server potentially linked to this vulnerability dates back to April 14th, 2023, at 01:29 AEST / April 13th, 2023, at 15:29 UTC.\\\nApplying the security fixes should not have any negative impact. Users can follow their usual upgrade procedure to obtain the upgrade. Additional links on the -Check for updates- page (accessed through the Admin interface > About > Version info > Check for updates) allow customers to download fixes for previous major versions that are still supported (e.g., 20.1.7 and 21.2.11) as well as the current version available. PaperCut MF users are advised to follow their regular upgrade process and consult their PaperCut partner or reseller for assistance.", "references": ["https://www.cisa.gov/news-events/alerts/2023/05/11/cisa-and-fbi-release-joint-advisory-response-active-exploitation-papercut-vulnerability", "https://www.papercut.com/kb/Main/PO-1216-and-PO-1219", "https://www.horizon3.ai/papercut-cve-2023-27350-deep-dive-and-indicators-of-compromise/", "https://www.bleepingcomputer.com/news/security/hackers-actively-exploit-critical-rce-bug-in-papercut-servers/", "https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software"], "tags": {"name": "PaperCut MF NG Vulnerability", "analytic_story": "PaperCut MF NG Vulnerability", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}], "mitre_attack_tactics": ["Execution", "Initial Access", "Persistence"], "datamodels": ["Endpoint", "Web"], "kill_chain_phases": ["Delivery", "Installation"]}, "detection_names": ["ESCU - PaperCut NG Suspicious Behavior Debug Log - Rule", "ESCU - Windows PaperCut NG Spawn Shell - Rule", "ESCU - PaperCut NG Remote Web Access Attempt - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "PaperCut NG Suspicious Behavior Debug Log", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Windows PaperCut NG Spawn Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "PaperCut NG Remote Web Access Attempt", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}]}, {"name": "PetitPotam NTLM Relay on Active Directory Certificate Services", "author": "Michael Haag, Mauricio Velazco, Splunk", "date": "2021-08-31", "version": 1, "id": "97aecafc-0a68-11ec-962f-acde48001122", "description": "PetitPotam (CVE-2021-36942,) is a vulnerablity identified in Microsofts EFSRPC Protocol that can allow an unauthenticated account to escalate privileges to domain administrator given the right circumstances.", "narrative": "In June 2021, security researchers at SpecterOps released a blog post and white paper detailing several potential attack vectors against Active Directory Certificated Services (ADCS). ADCS is a Microsoft product that implements Public Key Infrastrucutre (PKI) functionality and can be used by organizations to provide and manage digital certiticates within Active Directory.\\ In July 2021, a security researcher released PetitPotam, a tool that allows attackers to coerce Windows systems into authenticating to arbitrary endpoints.\\ Combining PetitPotam with the identified ADCS attack vectors allows attackers to escalate privileges from an unauthenticated anonymous user to full domain admin privileges.", "references": ["https://us-cert.cisa.gov/ncas/current-activity/2021/07/27/microsoft-releases-guidance-mitigating-petitpotam-ntlm-relay", "https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429", "https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf", "https://github.com/topotam/PetitPotam/", "https://github.com/gentilkiwi/mimikatz/releases/tag/2.2.0-20210723", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942", "https://attack.mitre.org/techniques/T1187/"], "tags": {"name": "PetitPotam NTLM Relay on Active Directory Certificate Services", "analytic_story": "PetitPotam NTLM Relay on Active Directory Certificate Services", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1187", "mitre_attack_technique": "Forced Authentication", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["DarkHydrus", "Dragonfly"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}], "mitre_attack_tactics": ["Credential Access"], "datamodels": [], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - PetitPotam Network Share Access Request - Rule", "ESCU - PetitPotam Suspicious Kerberos TGT Request - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Mauricio Velazco, Splunk", "author_name": "Michael Haag", "detections": [{"name": "PetitPotam Network Share Access Request", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Forced Authentication"}]}}, {"name": "PetitPotam Suspicious Kerberos TGT Request", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "OS Credential Dumping"}]}}]}, {"name": "PlugX", "author": "Teoderick Contreras, Splunk", "date": "2023-10-12", "version": 2, "id": "a2c94c99-b93b-4bc7-a749-e2198743d0d6", "description": "PlugX, also referred to as \"PlugX RAT\" or \"Kaba,\" is a highly sophisticated remote access Trojan (RAT) discovered in 2012. This malware is notorious for its involvement in targeted cyberattacks, primarily driven by cyber espionage objectives. PlugX provides attackers with comprehensive remote control capabilities over compromised systems, granting them the ability to execute commands, collect sensitive data, and manipulate the infected host.", "narrative": "PlugX, known as the \"silent infiltrator of the digital realm, is a shadowy figure in the world of cyber threats. This remote access Trojan (RAT), first unveiled in 2012, is not your run-of-the-mill malware. It's the go-to tool for sophisticated hackers with one goal in mind, espionage. PlugX's repertoire of capabilities reads like a spy thriller. It doesn't just breach your defenses; it goes a step further, slipping quietly into your systems, much like a ghost. Once inside, it opens the door to a world of possibilities for cybercriminals. With a few keystrokes, they can access your data, capture your screen, and silently watch your every move. In the hands of skilled hackers, it's a versatile instrument for cyber espionage. This malware thrives on persistence. It's not a one-time hit; it's in it for the long haul. Even if you reboot your system, PlugX remains, ensuring that its grip on your infrastructure doesn't waver.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.plugx", "https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/carderbee-software-supply-chain-certificate-abuse", "https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf", "https://www.mandiant.com/resources/blog/infected-usb-steal-secrets", "https://attack.mitre.org/software/S0013/"], "tags": {"name": "PlugX", "analytic_story": "PlugX", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1134.002", "mitre_attack_technique": "Create Process with Token", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Lazarus Group", "Turla"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1091", "mitre_attack_technique": "Replication Through Removable Media", "mitre_attack_tactics": ["Initial Access", "Lateral Movement"], "mitre_attack_groups": ["APT28", "Aoqin Dragon", "Darkhotel", "FIN7", "LuminousMoth", "Mustang Panda", "Tropic Trooper"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}], "mitre_attack_tactics": ["Defense Evasion", "Discovery", "Execution", "Impact", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Firewall Allowed Program Enable - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Office Application Drop Executable - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Document Spawned Child Process To Download - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious writes to windows Recycle Bin - Rule", "ESCU - Windows Access Token Manipulation SeDebugPrivilege - Rule", "ESCU - Windows Masquerading Msdtc Process - Rule", "ESCU - Windows Replication Through Removable Media - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - Windows Service Deletion In Registry - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Allow Inbound Traffic By Firewall Rule Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Firewall Allowed Program Enable", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Office Application Drop Executable", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Document Spawned Child Process To Download", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious writes to windows Recycle Bin", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Windows Access Token Manipulation SeDebugPrivilege", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create Process with Token"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}, {"name": "Windows Masquerading Msdtc Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Windows Replication Through Removable Media", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Replication Through Removable Media"}]}}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}]}}, {"name": "Windows Service Deletion In Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}]}, {"name": "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "author": "iDefense Cyber Espionage Team, iDefense", "date": "2020-01-22", "version": 1, "id": "988c59c5-0a1c-45b6-a555-0c62276e327e", "description": "Monitor your environment for suspicious behaviors that resemble the techniques employed by the MUDCARP threat group.", "narrative": "This story was created as a joint effort between iDefense and Splunk.\\\niDefense analysts have recently discovered a Windows executable file that, upon execution, spoofs a decryption tool and then drops a file that appears to be the custom-built javascript backdoor, \"Orz,\" which is associated with the threat actors known as MUDCARP (as well as \"temp.Periscope\" and \"Leviathan\"). The file is executed using Wscript.\\\nThe MUDCARP techniques include the use of the compressed-folders module from Microsoft, zipfldr.dll, with RouteTheCall export to run the malicious process or command. After a successful reboot, the malware is made persistent by a manipulating `[HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run]'help'='c:\\\\windows\\\\system32\\\\rundll32.exe c:\\\\windows\\\\system32\\\\zipfldr.dll,RouteTheCall c:\\\\programdata\\\\winapp.exe'`. Though this technique is not exclusive to MUDCARP, it has been spotted in the group's arsenal of advanced techniques seen in the wild.\\\nThis Analytic Story searches for evidence of tactics, techniques, and procedures (TTPs) that allow for the use of a endpoint detection-and-response (EDR) bypass technique to mask the true parent of a malicious process. It can also be set as a registry key for further sandbox evasion and to allow the malware to launch only after reboot.\\\nIf behavioral searches included in this story yield positive hits, iDefense recommends conducting IOC searches for the following:\\\n\\\n1. www.chemscalere[.]com\\\n1. chemscalere[.]com\\\n1. about.chemscalere[.]com\\\n1. autoconfig.chemscalere[.]com\\\n1. autodiscover.chemscalere[.]com\\\n1. catalog.chemscalere[.]com\\\n1. cpanel.chemscalere[.]com\\\n1. db.chemscalere[.]com\\\n1. ftp.chemscalere[.]com\\\n1. mail.chemscalere[.]com\\\n1. news.chemscalere[.]com\\\n1. update.chemscalere[.]com\\\n1. webmail.chemscalere[.]com\\\n1. www.candlelightparty[.]org\\\n1. candlelightparty[.]org\\\n1. newapp.freshasianews[.]comIn addition, iDefense also recommends that organizations review their environments for activity related to the following hashes:\\\n\\\n1. cd195ee448a3657b5c2c2d13e9c7a2e2\\\n1. b43ad826fe6928245d3c02b648296b43\\\n1. 889a9b52566448231f112a5ce9b5dfaf\\\n1. b8ec65dab97cdef3cd256cc4753f0c54\\\n1. 04d83cd3813698de28cfbba326d7647c", "references": ["https://www.infosecurity-magazine.com/news/scope-of-mudcarp-attacks-highlight-1/", "http://blog.amossys.fr/badflick-is-not-so-bad.html"], "tags": {"name": "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "analytic_story": "Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - First time seen command line argument - Rule", "ESCU - PowerShell - Connect To Internet With Hidden Window - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Unusually Long Command Line - Rule", "ESCU - Unusually Long Command Line - MLTK - Rule"], "investigation_names": ["ESCU - Get History Of Email Sources - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": ["ESCU - Baseline of Command Line Length - MLTK", "ESCU - Previously seen command line arguments"], "author_company": "iDefense", "author_name": "iDefense Cyber Espionage Team", "detections": [{"name": "First time seen command line argument", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Windows Command Shell"}]}}, {"name": "PowerShell - Connect To Internet With Hidden Window", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Unusually Long Command Line", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Unusually Long Command Line - MLTK", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "PrintNightmare CVE-2021-34527", "author": "Splunk Threat Research Team", "date": "2021-07-01", "version": 1, "id": "fd79470a-da88-11eb-b803-acde48001122", "description": "The following analytic story identifies behaviors related PrintNightmare, or CVE-2021-34527 previously known as (CVE-2021-1675), to gain privilege escalation on the vulnerable machine.", "narrative": "This vulnerability affects the Print Spooler service, enabled by default on Windows systems, and allows adversaries to trick this service into installing a remotely hosted print driver using a low privileged user account. Successful exploitation effectively allows adversaries to execute code in the target system (Remote Code Execution) in the context of the Print Spooler service which runs with the highest privileges (Privilege Escalation). \\\nThe prerequisites for successful exploitation consist of: \\\n1. Print Spooler service enabled on the target system \\\n1. Network connectivity to the target system (initial access has been obtained) \\\n1. Hash or password for a low privileged user ( or computer ) account. \\\nIn the most impactful scenario, an attacker would be able to leverage this vulnerability to obtain a SYSTEM shell on a domain controller and so escalate their privileges from a low privileged domain account to full domain access in the target environment as shown below.", "references": ["https://github.com/cube0x0/CVE-2021-1675/", "https://blog.truesec.com/2021/06/30/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available/", "https://blog.truesec.com/2021/06/30/exploitable-critical-rce-vulnerability-allows-regular-users-to-fully-compromise-active-directory-printnightmare-cve-2021-1675/", "https://www.reddit.com/r/msp/comments/ob6y02/critical_vulnerability_printnightmare_exposes"], "tags": {"name": "PrintNightmare CVE-2021-34527", "analytic_story": "PrintNightmare CVE-2021-34527", "category": ["Vulnerability"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.012", "mitre_attack_technique": "Print Processors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Print Spooler Adding A Printer Driver - Rule", "ESCU - Print Spooler Failed to Load a Plug-in - Rule", "ESCU - Rundll32 with no Command Line Arguments with Network - Rule", "ESCU - Spoolsv Spawning Rundll32 - Rule", "ESCU - Spoolsv Suspicious Loaded Modules - Rule", "ESCU - Spoolsv Suspicious Process Access - Rule", "ESCU - Spoolsv Writing a DLL - Rule", "ESCU - Spoolsv Writing a DLL - Sysmon - Rule", "ESCU - Suspicious Rundll32 no Command Line Arguments - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "no", "author_name": "Splunk Threat Research Team", "detections": [{"name": "Print Spooler Adding A Printer Driver", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Print Spooler Failed to Load a Plug-in", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Rundll32 with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Spoolsv Spawning Rundll32", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Spoolsv Suspicious Loaded Modules", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Spoolsv Suspicious Process Access", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "Spoolsv Writing a DLL", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Spoolsv Writing a DLL - Sysmon", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Suspicious Rundll32 no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}]}, {"name": "Prohibited Traffic Allowed or Protocol Mismatch", "author": "Rico Valdez, Splunk", "date": "2017-09-11", "version": 1, "id": "6d13121c-90f3-446d-8ac3-27efbbc65218", "description": "Detect instances of prohibited network traffic allowed in the environment, as well as protocols running on non-standard ports. Both of these types of behaviors typically violate policy and can be leveraged by attackers.", "narrative": "A traditional security best practice is to control the ports, protocols, and services allowed within your environment. By limiting the services and protocols to those explicitly approved by policy, administrators can minimize the attack surface. The combined effect allows both network defenders and security controls to focus and not be mired in superfluous traffic or data types. Looking for deviations to policy can identify attacker activity that abuses services and protocols to run on alternate or non-standard ports in the attempt to avoid detection or frustrate forensic analysts.", "references": ["http://www.novetta.com/2015/02/advanced-methods-to-detect-advanced-cyber-attacks-protocol-abuse/"], "tags": {"name": "Prohibited Traffic Allowed or Protocol Mismatch", "analytic_story": "Prohibited Traffic Allowed or Protocol Mismatch", "category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "MoustachedBouncer", "POLONIUM", "Sandworm Team", "Turla", "Volt Typhoon", "Windigo"]}, {"mitre_attack_id": "T1090.003", "mitre_attack_technique": "Multi-hop Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT28", "APT29", "FIN4", "Inception", "Leviathan"]}], "mitre_attack_tactics": ["Command And Control", "Exfiltration", "Initial Access", "Lateral Movement"], "datamodels": ["Endpoint", "Network_Resolution", "Network_Traffic"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery", "Exploitation"]}, "detection_names": ["ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule", "ESCU - Allow Inbound Traffic In Firewall Rule - Rule", "ESCU - Enable RDP In Other Port Number - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule", "ESCU - Prohibited Network Traffic Allowed - Rule", "ESCU - Protocol or Port Mismatch - Rule", "ESCU - TOR Traffic - Rule"], "investigation_names": ["ESCU - Get DNS Server History for a host - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Process Information For Port Activity - Response Task"], "baseline_names": ["ESCU - Count of Unique IPs Connecting to Ports"], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Allow Inbound Traffic By Firewall Rule Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "Allow Inbound Traffic In Firewall Rule", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "Enable RDP In Other Port Number", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}]}}, {"name": "Detect hosts connecting to dynamic domain providers", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}, {"name": "Prohibited Network Traffic Allowed", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Protocol or Port Mismatch", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "TOR Traffic", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Multi-hop Proxy"}]}}]}, {"name": "ProxyNotShell", "author": "Michael Haag, Splunk", "date": "2022-09-30", "version": 1, "id": "4e3f17e7-9ed7-425d-a05e-b65464945836", "description": "Two new zero day Microsoft Exchange vulnerabilities have been identified actively exploited in the wild - CVE-2022-41040 and CVE-2022-41082.", "narrative": "Microsoft is investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, 2016, and 2019. The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker. Originally identified by GTSC monitoring Exchange, some adversary post-exploitation activity was identified and is tagged to this story.", "references": ["https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/", "https://twitter.com/GossiTheDog/status/1575762721353916417?s=20&t=67gq9xCWuyPm1VEm8ydfyA", "https://twitter.com/cglyer/status/1575793769814728705?s=20&t=67gq9xCWuyPm1VEm8ydfyA", "https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html", "https://research.splunk.com/stories/proxyshell/", "https://www.inversecos.com/2022/07/hunting-for-apt-abuse-of-exchange.html"], "tags": {"name": "ProxyNotShell", "analytic_story": "ProxyNotShell", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Command And Control", "Execution", "Initial Access", "Persistence"], "datamodels": ["Endpoint", "Risk", "Web"], "kill_chain_phases": ["Command And Control", "Delivery", "Installation"]}, "detection_names": ["ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Detect Exchange Web Shell - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Exchange PowerShell Abuse via SSRF - Rule", "ESCU - Exchange PowerShell Module Usage - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows MSExchange Management Mailbox Cmdlet Usage - Rule", "ESCU - ProxyShell ProxyNotShell Behavior Detected - Rule", "ESCU - Windows Exchange Autodiscover SSRF Abuse - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Detect Exchange Web Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}, {"name": "Exchange PowerShell Abuse via SSRF", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Exchange PowerShell Module Usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}, {"name": "Windows MSExchange Management Mailbox Cmdlet Usage", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "ProxyShell ProxyNotShell Behavior Detected", "source": "web", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Windows Exchange Autodiscover SSRF Abuse", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}]}, {"name": "ProxyShell", "author": "Michael Haag, Teoderick Contreras, Mauricio Velazco, Splunk", "date": "2021-08-24", "version": 1, "id": "413bb68e-04e2-11ec-a835-acde48001122", "description": "ProxyShell is a chain of exploits targeting on-premise Microsoft Exchange Server - CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207.", "narrative": "During Pwn2Own April 2021, a security researcher demonstrated an attack  chain targeting on-premise Microsoft Exchange Server. August 5th, the same researcher  publicly released further details and demonstrated the attack chain. CVE-2021-34473  Pre-auth path confusion leads to ACL Bypass (Patched in April by KB5001779)  CVE-2021-34523 - Elevation of privilege on Exchange PowerShell backend (Patched in April by KB5001779) . CVE-2021-31207 - Post-auth Arbitrary-File-Write  leads to RCE (Patched in May by KB5003435) Upon successful exploitation,  the remote attacker will have SYSTEM privileges on the Exchange Server. In addition    to remote access/execution, the adversary may be able to run Exchange PowerShell  Cmdlets to perform further actions.", "references": ["https://y4y.space/2021/08/12/my-steps-of-reproducing-proxyshell/", "https://www.zerodayinitiative.com/blog/2021/8/17/from-pwn2own-2021-a-new-attack-surface-on-microsoft-exchange-proxyshell", "https://www.youtube.com/watch?v=FC6iHw258RI", "https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit#what-should-you-do", "https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-ProxyLogon-Is-Just-The-Tip-Of-The-Iceberg-A-New-Attack-Surface-On-Microsoft-Exchange-Server.pdf", "https://www.inversecos.com/2022/07/hunting-for-apt-abuse-of-exchange.html"], "tags": {"name": "ProxyShell", "analytic_story": "ProxyShell", "category": ["Adversary Tactics", "Ransomware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Execution", "Initial Access", "Persistence"], "datamodels": ["Endpoint", "Risk", "Web"], "kill_chain_phases": ["Delivery", "Installation"]}, "detection_names": ["ESCU - Detect Exchange Web Shell - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Exchange PowerShell Abuse via SSRF - Rule", "ESCU - Exchange PowerShell Module Usage - Rule", "ESCU - MS Exchange Mailbox Replication service writing Active Server Pages - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows MSExchange Management Mailbox Cmdlet Usage - Rule", "ESCU - ProxyShell ProxyNotShell Behavior Detected - Rule", "ESCU - Windows Exchange Autodiscover SSRF Abuse - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Teoderick Contreras, Mauricio Velazco, Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Exchange Web Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}, {"name": "Exchange PowerShell Abuse via SSRF", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Exchange PowerShell Module Usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "MS Exchange Mailbox Replication service writing Active Server Pages", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}, {"name": "Windows MSExchange Management Mailbox Cmdlet Usage", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "ProxyShell ProxyNotShell Behavior Detected", "source": "web", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Windows Exchange Autodiscover SSRF Abuse", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}]}, {"name": "Qakbot", "author": "Teoderick Contreras, Splunk", "date": "2022-11-14", "version": 2, "id": "0c6169b1-f126-4d86-8e4f-f7891007ebc6", "description": "QakBot is a modular banking trojan that has been used primarily by financially-motivated actors since at least 2007. QakBot is continuously maintained and developed and has evolved from an information stealer into a delivery agent for ransomware (ref. MITRE ATT&CK).", "narrative": "QakBot notably has made its way on the CISA top malware list for 2021. QakBot for years has been under continious improvement when it comes to initial access, injection and post-exploitation. Multiple adversaries use QakBot to gain initial access and persist, most notably TA551. The actor(s) behind QakBot possess a modular framework consisting of maldoc builders, signed loaders, and DLLs that produce initially low detection rates at the beginning of the attack, which creates opportunities to deliver additional malware such as Egregor and Cobalt Strike. (ref. Cybersecurity ATT) The more recent campaigns utilize HTML smuggling to deliver a ISO container that has a LNK and QakBot payload. QakBot will either load via regsvr32.exe directly, it will attempt to perform DLL sideloading.", "references": ["https://www.cisa.gov/sites/default/files/publications/202010221030_QakBot%20TLPWHITE.pdf", "https://malpedia.caad.fkie.fraunhofer.de/details/win.QakBot", "https://securelist.com/QakBot-technical-analysis/103931/", "https://www.fortinet.com/blog/threat-research/new-variant-of-QakBot-spread-by-phishing-emails", "https://attack.mitre.org/software/S0650/", "https://cybersecurity.att.com/blogs/labs-research/the-rise-of-qakbot"], "tags": {"name": "Qakbot", "analytic_story": "Qakbot", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MoustachedBouncer", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1016.001", "mitre_attack_technique": "Internet Connection Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT29", "FIN13", "FIN8", "Gamaredon Group", "HAFNIUM", "HEXANE", "Magic Hound", "TA2541", "Turla"]}, {"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566.002", "mitre_attack_technique": "Spearphishing Link", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Magic Hound", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1574.001", "mitre_attack_technique": "DLL Search Order Hijacking", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT41", "Aquatic Panda", "BackdoorDiplomacy", "Evilnum", "RTM", "Threat Group-3390", "Tonto Team", "Whitefly", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1055.001", "mitre_attack_technique": "Dynamic-link Library Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["BackdoorDiplomacy", "Lazarus Group", "Leviathan", "Putter Panda", "TA505", "Tropic Trooper", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1055.002", "mitre_attack_technique": "Portable Executable Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Gorgon Group", "Rocke"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Command And Control", "Defense Evasion", "Discovery", "Execution", "Impact", "Initial Access", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Create Remote Thread In Shell Application - Rule", "ESCU - Disable Defender Spynet Reporting - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Network Discovery Using Route Windows App - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Office Application Spawn Regsvr32 process - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Process Creating LNK file in Suspicious Location - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Services LOLBAS Execution Process Spawn - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Regsvr32 Register Suspicious Path - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - System User Discovery With Whoami - Rule", "ESCU - Wermgr Process Spawned CMD Or Powershell Process - Rule", "ESCU - Windows App Layer Protocol Qakbot NamedPipe - Rule", "ESCU - Windows App Layer Protocol Wermgr Connect To NamedPipe - Rule", "ESCU - Windows Command Shell Fetch Env Variables - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows Defender Exclusion Registry Entry - Rule", "ESCU - Windows DLL Search Order Hijacking Hunt with Sysmon - Rule", "ESCU - Windows DLL Side-Loading In Calc - Rule", "ESCU - Windows DLL Side-Loading Process Child Of Calc - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Masquerading Explorer As Child Process - Rule", "ESCU - Windows Modify Registry Qakbot Binary Data Registry - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Windows Process Injection Of Wermgr to Known Browser - Rule", "ESCU - Windows Process Injection Remote Thread - Rule", "ESCU - Windows Process Injection Wermgr Child Process - Rule", "ESCU - Windows Regsvr32 Renamed Binary - Rule", "ESCU - Windows Schtasks Create Run As System - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows System Discovery Using ldap Nslookup - Rule", "ESCU - Windows System Discovery Using Qwinsta - Rule", "ESCU - Windows WMI Impersonate Token - Rule", "ESCU - Windows WMI Process Call Create - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}}, {"name": "Create Remote Thread In Shell Application", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Disable Defender Spynet Reporting", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}}, {"name": "Network Connection Discovery With Arp", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Network Discovery Using Route Windows App", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Internet Connection Discovery"}]}}, {"name": "NLTest Domain Trust Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Trust Discovery"}]}}, {"name": "Office Application Spawn Regsvr32 process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Process Creating LNK file in Suspicious Location", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Link"}]}}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}]}}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Schtasks Run Task On Demand", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Services LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Suspicious Copy on System32", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "Masquerading"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious Regsvr32 Register Suspicious Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "System User Discovery With Whoami", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Owner/User Discovery"}]}}, {"name": "Wermgr Process Spawned CMD Or Powershell Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows App Layer Protocol Qakbot NamedPipe", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Application Layer Protocol"}]}}, {"name": "Windows App Layer Protocol Wermgr Connect To NamedPipe", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Application Layer Protocol"}]}}, {"name": "Windows Command Shell Fetch Env Variables", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "System Network Connections Discovery"}, {"mitre_attack_technique": "System Owner/User Discovery"}, {"mitre_attack_technique": "System Shutdown/Reboot"}, {"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows Defender Exclusion Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows DLL Search Order Hijacking Hunt with Sysmon", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Search Order Hijacking"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Windows DLL Side-Loading In Calc", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Windows DLL Side-Loading Process Child Of Calc", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Malicious Link"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "Windows Masquerading Explorer As Child Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Windows Modify Registry Qakbot Binary Data Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Windows Process Injection Of Wermgr to Known Browser", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Dynamic-link Library Injection"}, {"mitre_attack_technique": "Process Injection"}]}}, {"name": "Windows Process Injection Remote Thread", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Portable Executable Injection"}]}}, {"name": "Windows Process Injection Wermgr Child Process", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Windows Regsvr32 Renamed Binary", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Regsvr32"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Windows Schtasks Create Run As System", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Windows System Discovery Using ldap Nslookup", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Owner/User Discovery"}]}}, {"name": "Windows System Discovery Using Qwinsta", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Owner/User Discovery"}]}}, {"name": "Windows WMI Impersonate Token", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Windows WMI Process Call Create", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}]}, {"name": "Ransomware", "author": "David Dorsey, Splunk", "date": "2020-02-04", "version": 1, "id": "cf309d0d-d4aa-4fbb-963d-1e79febd3756", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to ransomware--spikes in SMB traffic, suspicious wevtutil usage, the presence of common ransomware extensions, and system processes run from unexpected locations, and many others.", "narrative": "Ransomware is an ever-present risk to the enterprise, wherein an infected host encrypts business-critical data, holding it hostage until the victim pays the attacker a ransom. There are many types and varieties of ransomware that can affect an enterprise. Attackers can deploy ransomware to enterprises through spearphishing campaigns and driveby downloads, as well as through traditional remote service-based exploitation. In the case of the WannaCry campaign, there was self-propagating wormable functionality that was used to maximize infection. Fortunately, organizations can apply several techniques--such as those in this Analytic Story--to detect and or mitigate the effects of ransomware.", "references": ["https://web.archive.org/web/20190826231258/https://www.carbonblack.com/2017/06/28/carbon-black-threat-research-technical-analysis-petya-notpetya-ransomware/", "https://www.splunk.com/blog/2017/06/27/closing-the-detection-to-mitigation-gap-or-to-petya-or-notpetya-whocares-.html"], "tags": {"name": "Ransomware", "analytic_story": "Ransomware", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1560.001", "mitre_attack_technique": "Archive via Utility", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "CopyKittens", "Earth Lusca", "FIN13", "FIN8", "Fox Kitten", "GALLIUM", "Gallmaker", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "MuddyWater", "Mustang Panda", "Sowbug", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1562.007", "mitre_attack_technique": "Disable or Modify Cloud Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1070.004", "mitre_attack_technique": "File Deletion", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT3", "APT32", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Chimera", "Cobalt Group", "Dragonfly", "Evilnum", "FIN10", "FIN5", "FIN6", "FIN8", "Gamaredon Group", "Group5", "Kimsuky", "Lazarus Group", "Magic Hound", "Metador", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "Silence", "TEMP.Veles", "TeamTNT", "The White Company", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.003", "mitre_attack_technique": "CMSTP", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group", "MuddyWater"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1020", "mitre_attack_technique": "Automated Exfiltration", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["Gamaredon Group", "Ke3chang", "Sidewinder", "Tropic Trooper"]}, {"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}, {"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "FIN7", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla", "Volt Typhoon"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "FIN13", "TA505"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1070.001", "mitre_attack_technique": "Clear Windows Event Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "APT38", "APT41", "Chimera", "Dragonfly", "FIN5", "FIN8", "Indrik Spider"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1531", "mitre_attack_technique": "Account Access Removal", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.005", "mitre_attack_technique": "Visual Basic", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT33", "APT37", "APT38", "APT39", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Earth Lusca", "FIN13", "FIN4", "FIN7", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "Transparent Tribe", "Turla", "WIRTE", "Windshift"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1491", "mitre_attack_technique": "Defacement", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1027.005", "mitre_attack_technique": "Indicator Removal from Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT3", "Deep Panda", "GALLIUM", "OilRig", "Patchwork", "TEMP.Veles", "Turla"]}, {"mitre_attack_id": "T1546.015", "mitre_attack_technique": "Component Object Model Hijacking", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1218.007", "mitre_attack_technique": "Msiexec", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Machete", "Molerats", "Rancor", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "TA505"]}, {"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}, {"mitre_attack_id": "T1588.002", "mitre_attack_technique": "Tool", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT19", "APT28", "APT29", "APT32", "APT33", "APT38", "APT39", "APT41", "Aoqin Dragon", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Carbanak", "Chimera", "Cleaver", "Cobalt Group", "CopyKittens", "DarkHydrus", "DarkVishnya", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN5", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "GALLIUM", "Gorgon Group", "HEXANE", "Inception", "IndigoZebra", "Ke3chang", "Kimsuky", "LAPSUS$", "Lazarus Group", "Leafminer", "LuminousMoth", "Magic Hound", "Metador", "Moses Staff", "MuddyWater", "POLONIUM", "Patchwork", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "TA2541", "TA505", "TEMP.Veles", "Threat Group-3390", "Thrip", "Turla", "Volt Typhoon", "WIRTE", "Whitefly", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1219", "mitre_attack_technique": "Remote Access Software", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Carbanak", "Cobalt Group", "DarkVishnya", "Evilnum", "FIN7", "GOLD SOUTHFIELD", "Kimsuky", "MuddyWater", "Mustang Panda", "RTM", "Sandworm Team", "TeamTNT", "Thrip"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "MoustachedBouncer", "POLONIUM", "Sandworm Team", "Turla", "Volt Typhoon", "Windigo"]}, {"mitre_attack_id": "T1090.003", "mitre_attack_technique": "Multi-hop Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT28", "APT29", "FIN4", "Inception", "Leviathan"]}], "mitre_attack_tactics": ["Collection", "Command And Control", "Defense Evasion", "Discovery", "Execution", "Exfiltration", "Impact", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation", "Reconnaissance", "Resource Development"], "datamodels": ["Change", "Endpoint", "Network_Traffic"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery", "Exploitation", "Installation", "Reconnaissance", "Weaponization"]}, "detection_names": ["ESCU - Scheduled tasks used in BadRabbit ransomware - Rule", "ESCU - 7zip CommandLine To SMB Share Path - Rule", "ESCU - Allow File And Printing Sharing In Firewall - Rule", "ESCU - Allow Network Discovery In Firewall - Rule", "ESCU - Allow Operation with Consent Admin - Rule", "ESCU - BCDEdit Failure Recovery Modification - Rule", "ESCU - Clear Unallocated Sector Using Cipher App - Rule", "ESCU - CMLUA Or CMSTPLUA UAC Bypass - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Conti Common Exec parameter - Rule", "ESCU - Delete ShadowCopy With PowerShell - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Detect RClone Command-Line Usage - Rule", "ESCU - Detect Renamed RClone - Rule", "ESCU - Detect SharpHound Command-Line Arguments - Rule", "ESCU - Detect SharpHound File Modifications - Rule", "ESCU - Detect SharpHound Usage - Rule", "ESCU - Disable AMSI Through Registry - Rule", "ESCU - Disable ETW Through Registry - Rule", "ESCU - Disable Logs Using WevtUtil - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Excessive Service Stop Attempt - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Excessive Usage Of SC Service Utility - Rule", "ESCU - Execute Javascript With Jscript COM CLSID - Rule", "ESCU - Fsutil Zeroing File - Rule", "ESCU - ICACLS Grant Command - Rule", "ESCU - Known Services Killed by Ransomware - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - MS Exchange Mailbox Replication service writing Active Server Pages - Rule", "ESCU - Msmpeng Application DLL Side Loading - Rule", "ESCU - Permission Modification using Takeown App - Rule", "ESCU - Powershell Disable Security Monitoring - Rule", "ESCU - Powershell Enable SMB1Protocol Feature - Rule", "ESCU - Powershell Execute COM Object - Rule", "ESCU - Prevent Automatic Repair Mode using Bcdedit - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Recursive Delete of Directory In Batch CMD - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Remote Process Instantiation via WMI - Rule", "ESCU - Revil Common Exec Parameter - Rule", "ESCU - Revil Registry Entry - Rule", "ESCU - Rundll32 LockWorkStation - Rule", "ESCU - Schtasks used for forcing a reboot - Rule", "ESCU - Spike in File Writes - Rule", "ESCU - Suspicious Event Log Service Behavior - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Suspicious wevtutil Usage - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - UAC Bypass With Colorui COM Object - Rule", "ESCU - Uninstall App Using MsiExec - Rule", "ESCU - Unusually Long Command Line - Rule", "ESCU - Unusually Long Command Line - MLTK - Rule", "ESCU - USN Journal Deletion - Rule", "ESCU - WBAdmin Delete System Backups - Rule", "ESCU - Wbemprox COM Object Execution - Rule", "ESCU - Windows Disable Change Password Through Registry - Rule", "ESCU - Windows Disable Lock Workstation Feature Through Registry - Rule", "ESCU - Windows Disable LogOff Button Through Registry - Rule", "ESCU - Windows Disable Memory Crash Dump - Rule", "ESCU - Windows Disable Shutdown Button Through Registry - Rule", "ESCU - Windows Disable Windows Group Policy Features Through Registry - Rule", "ESCU - Windows DiskCryptor Usage - Rule", "ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows Event Log Cleared - Rule", "ESCU - Windows Hide Notification Features Through Registry - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows NirSoft AdvancedRun - Rule", "ESCU - Windows Raccine Scheduled Task Deletion - Rule", "ESCU - Windows Registry Modification for Safe Mode Persistence - Rule", "ESCU - Windows Remote Access Software Hunt - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - Prohibited Network Traffic Allowed - Rule", "ESCU - SMB Traffic Spike - Rule", "ESCU - SMB Traffic Spike - MLTK - Rule", "ESCU - TOR Traffic - Rule"], "investigation_names": ["ESCU - Get Backup Logs For Endpoint - Response Task", "ESCU - Get History Of Email Sources - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Process Information For Port Activity - Response Task", "ESCU - Get Sysmon WMI Activity for Host - Response Task"], "baseline_names": ["ESCU - Baseline of Command Line Length - MLTK", "ESCU - Baseline of SMB Traffic - MLTK", "ESCU - Count of Unique IPs Connecting to Ports"], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Scheduled tasks used in BadRabbit ransomware", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "7zip CommandLine To SMB Share Path", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Archive via Utility"}, {"mitre_attack_technique": "Archive Collected Data"}]}}, {"name": "Allow File And Printing Sharing In Firewall", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Allow Network Discovery In Firewall", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Allow Operation with Consent Admin", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "BCDEdit Failure Recovery Modification", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Clear Unallocated Sector Using Cipher App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "CMLUA Or CMSTPLUA UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "CMSTP"}]}}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Conti Common Exec parameter", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "User Execution"}]}}, {"name": "Delete ShadowCopy With PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Detect RClone Command-Line Usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Automated Exfiltration"}]}}, {"name": "Detect Renamed RClone", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Automated Exfiltration"}]}}, {"name": "Detect SharpHound Command-Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Local Groups"}, {"mitre_attack_technique": "Domain Trust Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Groups"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}}, {"name": "Detect SharpHound File Modifications", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Local Groups"}, {"mitre_attack_technique": "Domain Trust Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Groups"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}}, {"name": "Detect SharpHound Usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Local Groups"}, {"mitre_attack_technique": "Domain Trust Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Domain Groups"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}}, {"name": "Disable AMSI Through Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable ETW Through Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Logs Using WevtUtil", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Excessive Service Stop Attempt", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Access Removal"}]}}, {"name": "Excessive Usage Of SC Service Utility", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Execute Javascript With Jscript COM CLSID", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Visual Basic"}]}}, {"name": "Fsutil Zeroing File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "ICACLS Grant Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "Known Services Killed by Ransomware", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Defacement"}]}}, {"name": "MS Exchange Mailbox Replication service writing Active Server Pages", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Msmpeng Application DLL Side Loading", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Permission Modification using Takeown App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "Powershell Disable Security Monitoring", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Powershell Enable SMB1Protocol Feature", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "Indicator Removal from Tools"}]}}, {"name": "Powershell Execute COM Object", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Component Object Model Hijacking"}, {"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Prevent Automatic Repair Mode using Bcdedit", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}]}}, {"name": "Recursive Delete of Directory In Batch CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File Deletion"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Remote Process Instantiation via WMI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Revil Common Exec Parameter", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "User Execution"}]}}, {"name": "Revil Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Rundll32 LockWorkStation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Schtasks used for forcing a reboot", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Spike in File Writes", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Suspicious Event Log Service Behavior", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Suspicious wevtutil Usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Clear Windows Event Logs"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "UAC Bypass With Colorui COM Object", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "CMSTP"}]}}, {"name": "Uninstall App Using MsiExec", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Msiexec"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Unusually Long Command Line", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Unusually Long Command Line - MLTK", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "USN Journal Deletion", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "WBAdmin Delete System Backups", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Wbemprox COM Object Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "CMSTP"}]}}, {"name": "Windows Disable Change Password Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Disable Lock Workstation Feature Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Disable LogOff Button Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Disable Memory Crash Dump", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Windows Disable Shutdown Button Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Disable Windows Group Policy Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows DiskCryptor Usage", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}}, {"name": "Windows DotNet Binary in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}}, {"name": "Windows Event Log Cleared", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}}, {"name": "Windows Hide Notification Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}}, {"name": "Windows NirSoft AdvancedRun", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Tool"}]}}, {"name": "Windows Raccine Scheduled Task Deletion", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}]}}, {"name": "Windows Registry Modification for Safe Mode Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Windows Remote Access Software Hunt", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Access Software"}]}}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Prohibited Network Traffic Allowed", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "SMB Traffic Spike", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "SMB Traffic Spike - MLTK", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "TOR Traffic", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Multi-hop Proxy"}]}}]}, {"name": "BlackMatter Ransomware", "author": "Teoderick Contreras, Splunk", "date": "2021-09-06", "version": 1, "id": "0da348a3-78a0-412e-ab27-2de9dd7f9fee", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the BlackMatter ransomware, including looking for file writes associated with BlackMatter, force safe mode boot, autadminlogon account registry modification and more.", "narrative": "BlackMatter ransomware campaigns targeting healthcare and other vertical sectors, involve the use of ransomware payloads along with exfiltration of data per HHS bulletin. Malicious actors demand payment for ransome of data and threaten deletion and exposure of exfiltrated data.", "references": ["https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/", "https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-gang-rises-from-the-ashes-of-darkside-revil/", "https://blog.malwarebytes.com/ransomware/2021/07/blackmatter-a-new-ransomware-group-claims-link-to-darkside-revil/"], "tags": {"name": "BlackMatter Ransomware", "analytic_story": "BlackMatter Ransomware", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1552.002", "mitre_attack_technique": "Credentials in Registry", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT32"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1491", "mitre_attack_technique": "Defacement", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "TA505"]}], "mitre_attack_tactics": ["Credential Access", "Impact"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"]}, "detection_names": ["ESCU - Add DefaultUser And Password In Registry - Rule", "ESCU - Auto Admin Logon Registry Entry - Rule", "ESCU - Bcdedit Command Back To Normal Mode Boot - Rule", "ESCU - Change To Safe Mode With Network Config - Rule", "ESCU - Known Services Killed by Ransomware - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Ransomware Notes bulk creation - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Add DefaultUser And Password In Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials in Registry"}, {"mitre_attack_technique": "Unsecured Credentials"}]}}, {"name": "Auto Admin Logon Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials in Registry"}, {"mitre_attack_technique": "Unsecured Credentials"}]}}, {"name": "Bcdedit Command Back To Normal Mode Boot", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Change To Safe Mode With Network Config", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Known Services Killed by Ransomware", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Defacement"}]}}, {"name": "Ransomware Notes bulk creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}}]}, {"name": "Chaos Ransomware", "author": "Teoderick Contreras, Splunk", "date": "2023-01-11", "version": 1, "id": "153d7b8f-27f2-4e4d-bae8-dfafd93a22a8", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Chaos ransomware, including looking for file writes (file encryption and ransomware notes), deleting shadow volume storage, registry key modification, dropping of files in startup folder, and more.", "narrative": "CHAOS ransomware has been seen and monitored since 2021. This ransomware is purportedly a .NET version of Ryuk ransomware but upon closer look to its code and behavior, this malware sample reveals that it doesn't share much relation to the notorious RYUK ransomware. This ransomware is one of the known ransomware that was used in the ongoing geo-political war. This ransomware is capable to check that only one copy of itself is running on the targeted host, delay of execution as part of its defense evasion technique, persistence through registry and startup folder, drop a copy of itself in each root drive of the targeted host and also in %appdata% folder and many more. As of writing this ransomware is still active and keeps on infecting Windows Operating machines and Windows networks.", "references": ["https://blog.qualys.com/vulnerabilities-threat-research/2022/01/17/the-chaos-ransomware-can-be-ravaging", "https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-in-fake-minecraft-alt-list-brings-destruction", "https://marcoramilli.com/2021/06/14/the-allegedly-ryuk-ransomware-builder-ryukjoke/", "https://www.trendmicro.com/en_us/research/21/h/chaos-ransomware-a-dangerous-proof-of-concept.html"], "tags": {"name": "Chaos Ransomware", "analytic_story": "Chaos Ransomware", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "TA505"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1091", "mitre_attack_technique": "Replication Through Removable Media", "mitre_attack_tactics": ["Initial Access", "Lateral Movement"], "mitre_attack_groups": ["APT28", "Aoqin Dragon", "Darkhotel", "FIN7", "LuminousMoth", "Mustang Panda", "Tropic Trooper"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Impact", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Prevent Automatic Repair Mode using Bcdedit - Rule", "ESCU - Ransomware Notes bulk creation - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - WBAdmin Delete System Backups - Rule", "ESCU - Windows Boot or Logon Autostart Execution In Startup Folder - Rule", "ESCU - Windows Replication Through Removable Media - Rule", "ESCU - Windows User Execution Malicious URL Shortcut File - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Prevent Automatic Repair Mode using Bcdedit", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Ransomware Notes bulk creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "WBAdmin Delete System Backups", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Windows Boot or Logon Autostart Execution In Startup Folder", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Windows Replication Through Removable Media", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Replication Through Removable Media"}]}}, {"name": "Windows User Execution Malicious URL Shortcut File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Malicious File"}, {"mitre_attack_technique": "User Execution"}]}}]}, {"name": "Clop Ransomware", "author": "Rod Soto, Teoderick Contreras, Splunk", "date": "2021-03-17", "version": 1, "id": "5a6f6849-1a26-4fae-aa05-fa730556eeb6", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Clop ransomware, including looking for file writes associated with Clope, encrypting network shares, deleting and resizing shadow volume storage, registry key modification, deleting of security logs, and more.", "narrative": "Clop ransomware campaigns targeting healthcare and other vertical sectors, involve the use of ransomware payloads along with exfiltration of data per HHS bulletin. Malicious actors demand payment for ransome of data and threaten deletion and exposure of exfiltrated data.", "references": ["https://www.hhs.gov/sites/default/files/analyst-note-cl0p-tlp-white.pdf", "https://securityaffairs.co/wordpress/115250/data-breach/qualys-clop-ransomware.html", "https://www.darkreading.com/attacks-breaches/qualys-is-the-latest-victim-of-accellion-data-breach/d/d-id/1340323"], "tags": {"name": "Clop Ransomware", "analytic_story": "Clop Ransomware", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "TA505"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1070.001", "mitre_attack_technique": "Clear Windows Event Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "APT38", "APT41", "Chimera", "Dragonfly", "FIN5", "FIN8", "Indrik Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Impact", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Clop Common Exec Parameter - Rule", "ESCU - Clop Ransomware Known Service Name - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - High Process Termination Frequency - Rule", "ESCU - Process Deleting Its Process File Path - Rule", "ESCU - Ransomware Notes bulk creation - Rule", "ESCU - Resize ShadowStorage volume - Rule", "ESCU - Suspicious Event Log Service Behavior - Rule", "ESCU - Suspicious wevtutil Usage - Rule", "ESCU - Windows Event Log Cleared - Rule", "ESCU - Windows High File Deletion Frequency - Rule", "ESCU - Windows Service Created with Suspicious Service Path - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Teoderick Contreras, Splunk", "author_name": "Rod Soto", "detections": [{"name": "Clop Common Exec Parameter", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "User Execution"}]}}, {"name": "Clop Ransomware Known Service Name", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "High Process Termination Frequency", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}}, {"name": "Process Deleting Its Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Ransomware Notes bulk creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}}, {"name": "Resize ShadowStorage volume", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Suspicious Event Log Service Behavior", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}}, {"name": "Suspicious wevtutil Usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Clear Windows Event Logs"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Windows Event Log Cleared", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}}, {"name": "Windows High File Deletion Frequency", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}]}, {"name": "Ransomware Cloud", "author": "Rod Soto, David Dorsey, Splunk", "date": "2020-10-27", "version": 1, "id": "f52f6c43-05f8-4b19-a9d3-5b8c56da91c2", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to ransomware. These searches include cloud related objects that may be targeted by malicious actors via cloud providers own encryption features.", "narrative": "Ransomware is an ever-present risk to the enterprise, wherein an infected host encrypts business-critical data, holding it hostage until the victim pays the attacker a ransom. There are many types and varieties of ransomware that can affect an enterprise.Cloud ransomware can be deployed by obtaining high privilege credentials from targeted users or resources.", "references": ["https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/", "https://github.com/d1vious/git-wild-hunt", "https://www.youtube.com/watch?v=PgzNib37g0M"], "tags": {"name": "Ransomware Cloud", "analytic_story": "Ransomware Cloud", "category": ["Malware"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "TA505"]}], "mitre_attack_tactics": ["Impact"], "datamodels": [], "kill_chain_phases": ["Actions on Objectives"]}, "detection_names": ["ESCU - AWS Detect Users creating keys with encrypt policy without MFA - Rule", "ESCU - AWS Detect Users with KMS keys performing encryption S3 - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": [], "author_company": "David Dorsey, Splunk", "author_name": "Rod Soto", "detections": [{"name": "AWS Detect Users creating keys with encrypt policy without MFA", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}}, {"name": "AWS Detect Users with KMS keys performing encryption S3", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}}]}, {"name": "DarkSide Ransomware", "author": "Bhavin Patel, Splunk", "date": "2021-05-12", "version": 1, "id": "507edc74-13d5-4339-878e-b9114ded1f35", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the DarkSide Ransomware", "narrative": "This story addresses Darkside ransomware. This ransomware payload has many similarities to common ransomware however there are certain items particular to it. The creation of a .TXT log that shows every item being encrypted as well as the creation of ransomware notes and files adding a machine ID created based on CRC32 checksum algorithm. This ransomware payload leaves machines in minimal operation level,enough to browse the attackers websites. A customized URI with leaked information is presented to each victim.This is the ransomware payload that shut down the Colonial pipeline. The story is composed of several detection searches covering similar items to other ransomware payloads and those particular to Darkside payload.", "references": ["https://www.splunk.com/en_us/blog/security/the-darkside-of-the-ransomware-pipeline.htmlbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", "https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations"], "tags": {"name": "DarkSide Ransomware", "analytic_story": "DarkSide Ransomware", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1197", "mitre_attack_technique": "BITS Jobs", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["APT39", "APT41", "Leviathan", "Patchwork", "Wizard Spider"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.003", "mitre_attack_technique": "CMSTP", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group", "MuddyWater"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1020", "mitre_attack_technique": "Automated Exfiltration", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["Gamaredon Group", "Ke3chang", "Sidewinder", "Tropic Trooper"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "TA505"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Defense Evasion", "Execution", "Exfiltration", "Impact", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - BITSAdmin Download File - Rule", "ESCU - CertUtil Download With URLCache and Split Arguments - Rule", "ESCU - CertUtil Download With VerifyCtl and Split Arguments - Rule", "ESCU - CMLUA Or CMSTPLUA UAC Bypass - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Delete ShadowCopy With PowerShell - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect RClone Command-Line Usage - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Detect Renamed RClone - Rule", "ESCU - Extraction of Registry Hives - Rule", "ESCU - Ransomware Notes bulk creation - Rule", "ESCU - SLUI RunAs Elevated - Rule", "ESCU - SLUI Spawning a Process - Rule", "ESCU - Windows Possible Credential Dumping - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Attempted Credential Dump From Registry via Reg exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "BITSAdmin Download File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "BITS Jobs"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "CertUtil Download With URLCache and Split Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "CertUtil Download With VerifyCtl and Split Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "CMLUA Or CMSTPLUA UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "CMSTP"}]}}, {"name": "Cobalt Strike Named Pipes", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Delete ShadowCopy With PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Detect RClone Command-Line Usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Automated Exfiltration"}]}}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Detect Renamed RClone", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Automated Exfiltration"}]}}, {"name": "Extraction of Registry Hives", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Ransomware Notes bulk creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}}, {"name": "SLUI RunAs Elevated", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "SLUI Spawning a Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Windows Possible Credential Dumping", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}]}, {"name": "LockBit Ransomware", "author": "Teoderick Contreras, Splunk", "date": "2023-01-16", "version": 1, "id": "67e5b98d-16d6-46a6-8d00-070a3d1a5cfc", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the LockBit ransomware, including looking for file writes (file encryption and ransomware notes), deleting services, terminating processes, registry key modification and more.", "narrative": "LockBit ransomware was first seen in 2019. This ransomware was used by cybercriminal in targeting multiple sectors and organizations. Lockbit is one of the ransomware being offered as a Ransomware-as-a-Service(RaaS) and also known to affiliates to implement the 'double extortion' techniques by uploading the stolen and sensitive victim information to their dark website and then threatening to sell/release it in public if their demands are not met. LockBit Ransomware advertised opportunities for threat actors that could provide credential access via RDP and VPN. Aside from this it is also uses threat emulation like Cobalt Strike and Metasploit to gain foot hold to the targeted host and persist if needed.", "references": ["https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html", "https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/", "https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom", "https://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html"], "tags": {"name": "LockBit Ransomware", "analytic_story": "LockBit Ransomware", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.003", "mitre_attack_technique": "CMSTP", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group", "MuddyWater"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "TA505"]}, {"mitre_attack_id": "T1491", "mitre_attack_technique": "Defacement", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Impact", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - CMLUA Or CMSTPLUA UAC Bypass - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Fsutil Zeroing File - Rule", "ESCU - High Process Termination Frequency - Rule", "ESCU - Known Services Killed by Ransomware - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Ransomware Notes bulk creation - Rule", "ESCU - Recon Using WMI Class - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - UAC Bypass With Colorui COM Object - Rule", "ESCU - Wbemprox COM Object Execution - Rule", "ESCU - Windows Modify Registry Default Icon Setting - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMLUA Or CMSTPLUA UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "CMSTP"}]}}, {"name": "Cobalt Strike Named Pipes", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Fsutil Zeroing File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "High Process Termination Frequency", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}}, {"name": "Known Services Killed by Ransomware", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Defacement"}]}}, {"name": "Ransomware Notes bulk creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}}, {"name": "Recon Using WMI Class", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "UAC Bypass With Colorui COM Object", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "CMSTP"}]}}, {"name": "Wbemprox COM Object Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "CMSTP"}]}}, {"name": "Windows Modify Registry Default Icon Setting", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}]}, {"name": "Prestige Ransomware", "author": "Teoderick Contreras, Splunk", "date": "2022-11-30", "version": 1, "id": "8b8d8506-b931-450c-b794-f24184ca1deb", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Prestige Ransomware", "narrative": "This story addresses Prestige ransomware. This ransomware payload seen by Microsoft Threat Intelligence Center(MSTIC) as a ransomware campaign targeting organization in the transportation and logistic industries in some countries. This ransomware campaign highlight the destructive attack to its target organization that directly supplies or transporting military and humanitarian services or assistance. MSTIC observed this ransomware has similarities in terms of its deployment techniques with CaddyWiper and HermeticWiper which is also known malware campaign impacted multiple targeted critical infrastructure organizations. This analytic story will provide techniques and analytics that may help SOC or security researchers to monitor this threat.", "references": ["https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"name": "Prestige Ransomware", "analytic_story": "Prestige Ransomware", "category": ["Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1070.005", "mitre_attack_technique": "Network Share Connection Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Threat Group-3390"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "FIN13", "TA505"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "FIN7", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla", "Volt Typhoon"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1531", "mitre_attack_technique": "Account Access Removal", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1016.001", "mitre_attack_technique": "Internet Connection Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT29", "FIN13", "FIN8", "Gamaredon Group", "HAFNIUM", "HEXANE", "Magic Hound", "TA2541", "Turla"]}, {"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1003.005", "mitre_attack_technique": "Cached Domain Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "Leafminer", "MuddyWater", "OilRig"]}, {"mitre_attack_id": "T1115", "mitre_attack_technique": "Clipboard Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT38", "APT39"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1552.002", "mitre_attack_technique": "Credentials in Registry", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT32"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1202", "mitre_attack_technique": "Indirect Command Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "FIN13", "FIN8", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TA2541", "TeamTNT", "Tropic Trooper", "Turla", "Volt Typhoon", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}, {"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "Volt Typhoon", "ZIRCONIUM"]}, {"mitre_attack_id": "T1555.005", "mitre_attack_technique": "Password Managers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Fox Kitten", "LAPSUS$", "Threat Group-3390"]}, {"mitre_attack_id": "T1552.004", "mitre_attack_technique": "Private Keys", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1547.005", "mitre_attack_technique": "Security Support Provider", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Collection", "Credential Access", "Defense Evasion", "Discovery", "Execution", "Impact", "Lateral Movement", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - Change Default File Association - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Create or delete windows shares using net exe - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Domain Group Discovery With Net - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Excessive Usage Of Cacls App - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Connection Discovery With Net - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Network Discovery Using Route Windows App - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - WBAdmin Delete System Backups - Rule", "ESCU - Windows Cached Domain Credentials Reg Query - Rule", "ESCU - Windows Change Default File Association For No File Ext - Rule", "ESCU - Windows ClipBoard Data via Get-ClipBoard - Rule", "ESCU - Windows Credentials from Password Stores Query - Rule", "ESCU - Windows Credentials in Registry Reg Query - Rule", "ESCU - Windows Indirect Command Execution Via Series Of Forfiles - Rule", "ESCU - Windows Information Discovery Fsutil - Rule", "ESCU - Windows Modify Registry Reg Restore - Rule", "ESCU - Windows Password Managers Discovery - Rule", "ESCU - Windows Private Keys Discovery - Rule", "ESCU - Windows Query Registry Reg Save - Rule", "ESCU - Windows Security Support Provider Reg Query - Rule", "ESCU - Windows Service Stop Via Net  and SC Application - Rule", "ESCU - Windows Steal or Forge Kerberos Tickets Klist - Rule", "ESCU - Windows System Network Config Discovery Display DNS - Rule", "ESCU - Windows System Network Connections Discovery Netsh - Rule", "ESCU - Windows System User Discovery Via Quser - Rule", "ESCU - Windows WMI Process And Service List - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Change Default File Association", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Change Default File Association"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Create or delete windows shares using net exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Network Share Connection Removal"}]}}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Domain Group Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Excessive Usage Of Cacls App", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Access Removal"}]}}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}}, {"name": "Network Connection Discovery With Arp", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Network Connection Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Network Discovery Using Route Windows App", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Internet Connection Discovery"}]}}, {"name": "Ntdsutil Export NTDS", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "WBAdmin Delete System Backups", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Windows Cached Domain Credentials Reg Query", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cached Domain Credentials"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows Change Default File Association For No File Ext", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Change Default File Association"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Windows ClipBoard Data via Get-ClipBoard", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Clipboard Data"}]}}, {"name": "Windows Credentials from Password Stores Query", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}]}}, {"name": "Windows Credentials in Registry Reg Query", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials in Registry"}, {"mitre_attack_technique": "Unsecured Credentials"}]}}, {"name": "Windows Indirect Command Execution Via Series Of Forfiles", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indirect Command Execution"}]}}, {"name": "Windows Information Discovery Fsutil", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Information Discovery"}]}}, {"name": "Windows Modify Registry Reg Restore", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows Password Managers Discovery", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Managers"}]}}, {"name": "Windows Private Keys Discovery", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Private Keys"}, {"mitre_attack_technique": "Unsecured Credentials"}]}}, {"name": "Windows Query Registry Reg Save", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows Security Support Provider Reg Query", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Support Provider"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Windows Service Stop Via Net  and SC Application", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Windows Steal or Forge Kerberos Tickets Klist", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}}, {"name": "Windows System Network Config Discovery Display DNS", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Configuration Discovery"}]}}, {"name": "Windows System Network Connections Discovery Netsh", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Windows System User Discovery Via Quser", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Owner/User Discovery"}]}}, {"name": "Windows WMI Process And Service List", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}]}, {"name": "Revil Ransomware", "author": "Teoderick Contreras, Splunk", "date": "2021-06-04", "version": 1, "id": "817cae42-f54b-457a-8a36-fbf45521e29e", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Revil ransomware, including looking for file writes associated with Revil, encrypting network shares, deleting shadow volume storage, registry key modification, deleting of security logs, and more.", "narrative": "Revil ransomware is a RaaS,that a single group may operates and manges the development of this ransomware. It involve the use of ransomware payloads along with exfiltration of data. Malicious actors demand payment for ransome of data and threaten deletion and exposure of exfiltrated data.", "references": ["https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/"], "tags": {"name": "Revil Ransomware", "analytic_story": "Revil Ransomware", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.007", "mitre_attack_technique": "Disable or Modify Cloud Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1491", "mitre_attack_technique": "Defacement", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.003", "mitre_attack_technique": "CMSTP", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group", "MuddyWater"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Impact", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Allow Network Discovery In Firewall - Rule", "ESCU - Delete ShadowCopy With PowerShell - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Msmpeng Application DLL Side Loading - Rule", "ESCU - Powershell Disable Security Monitoring - Rule", "ESCU - Revil Common Exec Parameter - Rule", "ESCU - Revil Registry Entry - Rule", "ESCU - Wbemprox COM Object Execution - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Allow Network Discovery In Firewall", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Cloud Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Delete ShadowCopy With PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Defacement"}]}}, {"name": "Msmpeng Application DLL Side Loading", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Powershell Disable Security Monitoring", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Revil Common Exec Parameter", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "User Execution"}]}}, {"name": "Revil Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Wbemprox COM Object Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "CMSTP"}]}}]}, {"name": "Rhysida Ransomware", "author": "Teoderick Contreras, Splunk", "date": "2023-12-12", "version": 1, "id": "0925ee49-1185-4484-94ac-7867764a9183", "description": "Utilize analytics designed to identify and delve into atypical behaviors, potentially associated with the Rhysida Ransomware. Employing these searches enables the detection of irregular patterns or actions within systems or networks, serving as proactive measures to spot potential indicators of compromise or ongoing threats. By implementing these search strategies, security analysts can effectively pinpoint anomalous activities, such as unusual file modifications, deviations in system behavior, that could potentially signify the presence or attempt of Rhysida Ransomware infiltration. These searches serve as pivotal tools in the arsenal against such threats, aiding in swift detection, investigation, and mitigation efforts to counter the impact of the Rhysida Ransomware or similar malicious entities.", "narrative": "This story addresses Rhysida ransomware. Rhysida Ransomware emerges as a silent predator, infiltrating systems stealthily and unleashing havoc upon its victims. Employing sophisticated encryption tactics, it swiftly locks critical files and databases, holding them hostage behind an impenetrable digital veil. The haunting demand for ransom sends shockwaves through affected organizations, rendering operations inert and plunging them into a tumultuous struggle between compliance and resilience. Threat actors leveraging Rhysida ransomware are known to impact \"targets of opportunity,\" including victims in the education, healthcare, manufacturing, information technology, and government sectors. Open source reporting details similarities between Vice Society activity and the actors observed deploying Rhysida ransomware. Additionally, open source reporting has confirmed observed instances of Rhysida actors operating in a ransomware-as-a-service (RaaS) capacity, where ransomware tools and infrastructure are leased out in a profit-sharing model. Any ransoms paid are then split between the group and the affiliates.", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a"], "tags": {"name": "Rhysida Ransomware", "analytic_story": "Rhysida Ransomware", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MoustachedBouncer", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1070.001", "mitre_attack_technique": "Clear Windows Event Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "APT38", "APT41", "Chimera", "Dragonfly", "FIN5", "FIN8", "Indrik Spider"]}, {"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1018", "mitre_attack_technique": "Remote System Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "BRONZE BUTLER", "Chimera", "Deep Panda", "Dragonfly", "Earth Lusca", "FIN5", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "HEXANE", "Indrik Spider", "Ke3chang", "Leafminer", "Magic Hound", "Naikon", "Rocke", "Sandworm Team", "Silence", "Threat Group-3390", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "FIN13", "TA505"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "FIN7", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla", "Volt Typhoon"]}, {"mitre_attack_id": "T1531", "mitre_attack_technique": "Account Access Removal", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "TA505"]}, {"mitre_attack_id": "T1491", "mitre_attack_technique": "Defacement", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}, {"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "Chimera", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "Volt Typhoon", "Wizard Spider"]}, {"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Discovery", "Execution", "Impact", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Rare Executables - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Disable Logs Using WevtUtil - Rule", "ESCU - Domain Account Discovery With Net App - Rule", "ESCU - Domain Controller Discovery with Nltest - Rule", "ESCU - Domain Group Discovery With Net - Rule", "ESCU - Elevated Group Discovery With Net - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - High Process Termination Frequency - Rule", "ESCU - Malicious Powershell Executed As A Service - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - PowerShell 4104 Hunting - Rule", "ESCU - Ransomware Notes bulk creation - Rule", "ESCU - SAM Database File Access Attempt - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - SecretDumps Offline NTDS Dumping Tool - Rule", "ESCU - Spike in File Writes - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious wevtutil Usage - Rule", "ESCU - System User Discovery With Whoami - Rule", "ESCU - Windows Modify Registry NoChangingWallPaper - Rule", "ESCU - Windows PowerView AD Access Control List Enumeration - Rule", "ESCU - Windows PowerView Constrained Delegation Discovery - Rule", "ESCU - Windows PowerView Kerberos Service Ticket Request - Rule", "ESCU - Windows PowerView SPN Discovery - Rule", "ESCU - Windows PowerView Unconstrained Delegation Discovery - Rule", "ESCU - Windows Rundll32 Apply User Settings Changes - Rule", "ESCU - WinRM Spawning a Process - Rule", "ESCU - Detect Zerologon via Zeek - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Detect Rare Executables", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Disable Logs Using WevtUtil", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}}, {"name": "Domain Account Discovery With Net App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Domain Controller Discovery with Nltest", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Domain Group Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "Elevated Group Discovery With Net", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Access Removal"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "High Process Termination Frequency", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}}, {"name": "Malicious Powershell Executed As A Service", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Defacement"}]}}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}}, {"name": "NLTest Domain Trust Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Trust Discovery"}]}}, {"name": "Ntdsutil Export NTDS", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "PowerShell 4104 Hunting", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Ransomware Notes bulk creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}}, {"name": "SAM Database File Access Attempt", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "SecretDumps Offline NTDS Dumping Tool", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Spike in File Writes", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious wevtutil Usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Clear Windows Event Logs"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "System User Discovery With Whoami", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Owner/User Discovery"}]}}, {"name": "Windows Modify Registry NoChangingWallPaper", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows PowerView AD Access Control List Enumeration", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Accounts"}, {"mitre_attack_technique": "Permission Groups Discovery"}]}}, {"name": "Windows PowerView Constrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Windows PowerView Kerberos Service Ticket Request", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "Windows PowerView SPN Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "Windows PowerView Unconstrained Delegation Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote System Discovery"}]}}, {"name": "Windows Rundll32 Apply User Settings Changes", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "WinRM Spawning a Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}, {"name": "Detect Zerologon via Zeek", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}]}, {"name": "Ryuk Ransomware", "author": "Jose Hernandez, Splunk", "date": "2020-11-06", "version": 1, "id": "507edc74-13d5-4339-878e-b9744ded1f35", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Ryuk ransomware, including looking for file writes associated with Ryuk, Stopping Security Access Manager, DisableAntiSpyware registry key modification, suspicious psexec use, and more.", "narrative": "Cybersecurity Infrastructure Security Agency (CISA) released Alert (AA20-302A) on October 28th called Ransomware Activity Targeting the Healthcare and Public Health Sector. This alert details TTPs associated with ongoing and possible imminent attacks against the Healthcare sector, and is a joint advisory in coordination with other U.S. Government agencies. The objective of these malicious campaigns is to infiltrate targets in named sectors and to drop ransomware payloads, which will likely cause disruption of service and increase risk of actual harm to the health and safety of patients at hospitals, even with the aggravant of an ongoing COVID-19 pandemic. This document specifically refers to several crimeware exploitation frameworks, emphasizing the use of Ryuk ransomware as payload. The Ryuk ransomware payload is not new. It has been well documented and identified in multiple variants. Payloads need a carrier, and for Ryuk it has often been exploitation frameworks such as Cobalt Strike, or popular crimeware frameworks such as Emotet or Trickbot.", "references": ["https://www.splunk.com/en_us/blog/security/detecting-ryuk-using-splunk-attack-range.html", "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", "https://us-cert.cisa.gov/ncas/alerts/aa20-302a"], "tags": {"name": "Ryuk Ransomware", "analytic_story": "Ryuk Ransomware", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1482", "mitre_attack_technique": "Domain Trust Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "Earth Lusca", "FIN8", "Magic Hound"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "TA505"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}], "mitre_attack_tactics": ["Defense Evasion", "Discovery", "Execution", "Impact", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Windows connhost exe started forcefully - Rule", "ESCU - BCDEdit Failure Recovery Modification - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - NLTest Domain Trust Discovery - Rule", "ESCU - Ryuk Test Files Detected - Rule", "ESCU - Ryuk Wake on LAN Command - Rule", "ESCU - Spike in File Writes - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - WBAdmin Delete System Backups - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows Security Account Manager Stopped - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - Remote Desktop Network Bruteforce - Rule", "ESCU - Remote Desktop Network Traffic - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": ["ESCU - Identify Systems Creating Remote Desktop Traffic", "ESCU - Identify Systems Receiving Remote Desktop Traffic", "ESCU - Identify Systems Using Remote Desktop"], "author_company": "Splunk", "author_name": "Jose Hernandez", "detections": [{"name": "Windows connhost exe started forcefully", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}]}}, {"name": "BCDEdit Failure Recovery Modification", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "NLTest Domain Trust Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Trust Discovery"}]}}, {"name": "Ryuk Test Files Detected", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}}, {"name": "Ryuk Wake on LAN Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}]}}, {"name": "Spike in File Writes", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WBAdmin Delete System Backups", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Security Account Manager Stopped", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Remote Desktop Network Bruteforce", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "Remote Desktop Network Traffic", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}]}, {"name": "SamSam Ransomware", "author": "Rico Valdez, Splunk", "date": "2018-12-13", "version": 1, "id": "c4b89506-fbcf-4cb7-bfd6-527e54789604", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the SamSam ransomware, including looking for file writes associated with SamSam, RDP brute force attacks, the presence of files with SamSam ransomware extensions, suspicious psexec use, and more.", "narrative": "The first version of the SamSam ransomware (a.k.a. Samas or SamsamCrypt) was launched in 2015 by a group of Iranian threat actors. The malicious software has affected and continues to affect thousands of victims and has raised almost $6M in ransom.\\\nAlthough categorized under the heading of ransomware, SamSam campaigns have some importance distinguishing characteristics. Most notable is the fact that conventional ransomware is a numbers game. Perpetrators use a \"spray-and-pray\" approach with phishing campaigns or other mechanisms, charging a small ransom (typically under $1,000). The goal is to find a large number of victims willing to pay these mini-ransoms, adding up to a lucrative payday. They use relatively simple methods for infecting systems.\\\nSamSam attacks are different beasts. They have become progressively more targeted and skillful than typical ransomware attacks. First, malicious actors break into a victim's network, surveil it, then run the malware manually. The attacks are tailored to cause maximum damage and the threat actors usually demand amounts in the tens of thousands of dollars.\\\nIn a typical attack on one large healthcare organization in 2018, the company ended up paying a ransom of four Bitcoins, then worth $56,707. Reports showed that access to the company's files was restored within two hours of paying the sum.\\\nAccording to Sophos, SamSam previously leveraged  RDP to gain access to targeted networks via brute force. SamSam is not spread automatically, like other malware. It requires skill because it forces the attacker to adapt their tactics to the individual environment. Next, the actors escalate their privileges to admin level. They scan the networks for worthy targets, using conventional tools, such as PsExec or PaExec, to deploy/execute, quickly encrypting files.\\\nThis Analytic Story includes searches designed to help detect and investigate signs of the SamSam ransomware, such as the creation of fileswrites to system32, writes with tell-tale extensions, batch files written to system32, and evidence of brute-force attacks via RDP.", "references": ["https://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/", "https://nakedsecurity.sophos.com/2018/07/31/samsam-the-almost-6-million-ransomware/", "https://thehackernews.com/2018/07/samsam-ransomware-attacks.html"], "tags": {"name": "SamSam Ransomware", "analytic_story": "SamSam Ransomware", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036.005", "mitre_attack_technique": "Match Legitimate Name or Location", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT32", "APT39", "APT41", "Aoqin Dragon", "BRONZE BUTLER", "BackdoorDiplomacy", "Blue Mockingbird", "Carbanak", "Chimera", "Darkhotel", "Earth Lusca", "FIN13", "FIN7", "Ferocious Kitten", "Fox Kitten", "Gamaredon Group", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Poseidon Group", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "Sowbug", "TA2541", "TEMP.Veles", "TeamTNT", "Transparent Tribe", "Tropic Trooper", "Volt Typhoon", "WIRTE", "Whitefly", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1595", "mitre_attack_technique": "Active Scanning", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1486", "mitre_attack_technique": "Data Encrypted for Impact", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "APT41", "FIN7", "FIN8", "Indrik Spider", "Magic Hound", "Sandworm Team", "TA505"]}, {"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "FIN13", "FIN8", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TA2541", "TeamTNT", "Tropic Trooper", "Turla", "Volt Typhoon", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Discovery", "Execution", "Impact", "Initial Access", "Lateral Movement", "Persistence", "Reconnaissance"], "datamodels": ["Endpoint", "Network_Traffic", "Web"], "kill_chain_phases": ["Actions on Objectives", "Delivery", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - Prohibited Software On Endpoint - Rule", "ESCU - Attacker Tools On Endpoint - Rule", "ESCU - Batch File Write to System32 - Rule", "ESCU - Common Ransomware Extensions - Rule", "ESCU - Common Ransomware Notes - Rule", "ESCU - Deleting Shadow Copies - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - File with Samsam Extension - Rule", "ESCU - Samsam Test File Write - Rule", "ESCU - Spike in File Writes - Rule", "ESCU - Remote Desktop Network Bruteforce - Rule", "ESCU - Remote Desktop Network Traffic - Rule", "ESCU - Detect attackers scanning for vulnerable JBoss servers - Rule", "ESCU - Detect malicious requests to exploit JBoss servers - Rule"], "investigation_names": ["ESCU - Get Backup Logs For Endpoint - Response Task", "ESCU - Get History Of Email Sources - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Process Information For Port Activity - Response Task", "ESCU - Investigate Successful Remote Desktop Authentications - Response Task"], "baseline_names": ["ESCU - Add Prohibited Processes to Enterprise Security", "ESCU - Identify Systems Creating Remote Desktop Traffic", "ESCU - Identify Systems Receiving Remote Desktop Traffic", "ESCU - Identify Systems Using Remote Desktop"], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Prohibited Software On Endpoint", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": []}}, {"name": "Attacker Tools On Endpoint", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Match Legitimate Name or Location"}, {"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "Active Scanning"}]}}, {"name": "Batch File Write to System32", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "User Execution"}, {"mitre_attack_technique": "Malicious File"}]}}, {"name": "Common Ransomware Extensions", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Common Ransomware Notes", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "File with Samsam Extension", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "Samsam Test File Write", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Encrypted for Impact"}]}}, {"name": "Spike in File Writes", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Remote Desktop Network Bruteforce", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "Remote Desktop Network Traffic", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "Detect attackers scanning for vulnerable JBoss servers", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Information Discovery"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Detect malicious requests to exploit JBoss servers", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "RedLine Stealer", "author": "Teoderick Contreras, Splunk", "date": "2023-04-24", "version": 1, "id": "12e31e8b-671b-4d6e-b362-a682812a71eb", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Redline Stealer trojan, including looking for file writes associated with its payload, screencapture, registry modification, persistence and data collection..", "narrative": "RedLine Stealer is a malware available on underground forum and subscription basis that are compiled or written in C#. This malware is capable of harvesting sensitive information from browsers such as saved credentials, auto file data, browser cookies and credit card information. It also gathers system information of the targeted or compromised host like username, location IP, RAM size available, hardware configuration and software installed. The current version of this malware contains features to steal wallet and crypto currency information.", "references": ["https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer", "https://blogs.blackberry.com/en/2021/10/threat-thursday-redline-infostealer-update"], "tags": {"name": "RedLine Stealer", "analytic_story": "RedLine Stealer", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "Volt Typhoon", "ZIRCONIUM"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Discovery", "Execution", "Impact", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Updates"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation"]}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Disabling Defender Services - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Boot or Logon Autostart Execution In Startup Folder - Rule", "ESCU - Windows Credentials from Password Stores Chrome Extension Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows Event For Service Disabled - Rule", "ESCU - Windows Modify Registry Auto Minor Updates - Rule", "ESCU - Windows Modify Registry Auto Update Notif - Rule", "ESCU - Windows Modify Registry Disable WinDefender Notifications - Rule", "ESCU - Windows Modify Registry Do Not Connect To Win Update - Rule", "ESCU - Windows Modify Registry No Auto Reboot With Logon User - Rule", "ESCU - Windows Modify Registry No Auto Update - Rule", "ESCU - Windows Modify Registry Tamper Protection - Rule", "ESCU - Windows Modify Registry UpdateServiceUrlAlternate - Rule", "ESCU - Windows Modify Registry USeWuServer - Rule", "ESCU - Windows Modify Registry WuServer - Rule", "ESCU - Windows Modify Registry wuStatusServer - Rule", "ESCU - Windows Query Registry Browser List Application - Rule", "ESCU - Windows Query Registry UnInstall Program List - Rule", "ESCU - Windows Scheduled Task with Highest Privileges - Rule", "ESCU - Windows Service Stop Win Updates - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disabling Defender Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Windows Boot or Logon Autostart Execution In Startup Folder", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Windows Credentials from Password Stores Chrome Extension Access", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Event For Service Disabled", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Modify Registry Auto Minor Updates", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry Auto Update Notif", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry Disable WinDefender Notifications", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry Do Not Connect To Win Update", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry No Auto Reboot With Logon User", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry No Auto Update", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry Tamper Protection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry UpdateServiceUrlAlternate", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry USeWuServer", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry WuServer", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Registry wuStatusServer", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Query Registry Browser List Application", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows Query Registry UnInstall Program List", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows Scheduled Task with Highest Privileges", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Windows Service Stop Win Updates", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}]}, {"name": "Remcos", "author": "Teoderick Contreras, Splunk", "date": "2021-09-23", "version": 1, "id": "2bd4aa08-b9a5-40cf-bfe5-7d43f13d496c", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the Remcos RAT trojan, including looking for file writes associated with its payload, screencapture, registry modification, UAC bypassed, persistence and data collection..", "narrative": "Remcos or Remote Control and Surveillance, marketed as a legitimate software for remotely managing Windows systems is now widely used in multiple malicious campaigns both APT and commodity malware by threat actors.", "references": ["https://success.trendmicro.com/solution/1123281-remcos-malware-information", "https://attack.mitre.org/software/S0332/", "https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos#:~:text=Remcos%20(acronym%20of%20Remote%20Control,used%20to%20remotely%20control%20computers.&text=Remcos%20can%20be%20used%20for,been%20used%20in%20hacking%20campaigns."], "tags": {"name": "Remcos", "analytic_story": "Remcos", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MoustachedBouncer", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1055.001", "mitre_attack_technique": "Dynamic-link Library Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["BackdoorDiplomacy", "Lazarus Group", "Leviathan", "Putter Panda", "TA505", "Tropic Trooper", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1559.001", "mitre_attack_technique": "Component Object Model", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["Gamaredon Group", "MuddyWater"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1113", "mitre_attack_technique": "Screen Capture", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT39", "BRONZE BUTLER", "Dark Caracal", "Dragonfly", "FIN7", "GOLD SOUTHFIELD", "Gamaredon Group", "Group5", "Magic Hound", "MoustachedBouncer", "MuddyWater", "OilRig", "Silence"]}, {"mitre_attack_id": "T1059.005", "mitre_attack_technique": "Visual Basic", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT33", "APT37", "APT38", "APT39", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Earth Lusca", "FIN13", "FIN4", "FIN7", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "Transparent Tribe", "Turla", "WIRTE", "Windshift"]}, {"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1036.008", "mitre_attack_technique": "Masquerade File Type", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Volt Typhoon"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1134.004", "mitre_attack_technique": "Parent PID Spoofing", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}], "mitre_attack_tactics": ["Collection", "Credential Access", "Defense Evasion", "Execution", "Initial Access", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - Detect Outlook exe writing a zip file - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Jscript Execution Using Cscript App - Rule", "ESCU - Loading Of Dynwrapx Module - Rule", "ESCU - Malicious InProcServer32 Modification - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning Windows Script Host - Rule", "ESCU - Possible Browser Pass View Parameter - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Process Deleting Its Process File Path - Rule", "ESCU - Process Writing DynamicWrapperX - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Remcos client registry install entry - Rule", "ESCU - Remcos RAT File Creation in Remcos Folder - Rule", "ESCU - Suspicious Image Creation In Appdata Folder - Rule", "ESCU - Suspicious Process DNS Query Known Abuse Web Services - Rule", "ESCU - Suspicious Process Executed From Container File - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious WAV file in Appdata Folder - Rule", "ESCU - System Info Gathering Using Dxdiag Application - Rule", "ESCU - Vbscript Execution Using Wscript App - Rule", "ESCU - Windows Defender Exclusion Registry Entry - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Winhlp32 Spawning a Process - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Add or Set Windows Defender Exclusion", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Detect Outlook exe writing a zip file", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Disabling Remote User Account Control", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Jscript Execution Using Cscript App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}}, {"name": "Loading Of Dynwrapx Module", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Dynamic-link Library Injection"}]}}, {"name": "Malicious InProcServer32 Modification", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Regsvr32"}, {"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning Windows Script Host", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Possible Browser Pass View Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Web Browsers"}, {"mitre_attack_technique": "Credentials from Password Stores"}]}}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Process Deleting Its Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Process Writing DynamicWrapperX", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Component Object Model"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Remcos client registry install entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Remcos RAT File Creation in Remcos Folder", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Screen Capture"}]}}, {"name": "Suspicious Image Creation In Appdata Folder", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Screen Capture"}]}}, {"name": "Suspicious Process DNS Query Known Abuse Web Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Suspicious Process Executed From Container File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Malicious File"}, {"mitre_attack_technique": "Masquerade File Type"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious WAV file in Appdata Folder", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Screen Capture"}]}}, {"name": "System Info Gathering Using Dxdiag Application", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}]}}, {"name": "Vbscript Execution Using Wscript App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows Defender Exclusion Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Malicious Link"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Winhlp32 Spawning a Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Wscript Or Cscript Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Parent PID Spoofing"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}]}, {"name": "Reverse Network Proxy", "author": "Michael Haag, Splunk", "date": "2022-11-16", "version": 1, "id": "265e4127-21fd-43e4-adac-ec5d12274111", "description": "The following analytic story describes applications that may be abused to reverse proxy back into an organization, either for persistence or remote access.", "narrative": "This analytic story covers tools like Ngrok which is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. Ngrok in particular has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration. There are many open source and closed/paid that fall into this reverse proxy category. The analytic story and complemented analytics will be released as more are identified.", "references": ["https://attack.mitre.org/software/S0508/", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf"], "tags": {"name": "Reverse Network Proxy", "analytic_story": "Reverse Network Proxy", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1572", "mitre_attack_technique": "Protocol Tunneling", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Chimera", "Cobalt Group", "FIN13", "FIN6", "Fox Kitten", "Leviathan", "Magic Hound", "OilRig"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "MoustachedBouncer", "POLONIUM", "Sandworm Team", "Turla", "Volt Typhoon", "Windigo"]}, {"mitre_attack_id": "T1102", "mitre_attack_technique": "Web Service", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT32", "EXOTIC LILY", "Ember Bear", "FIN6", "FIN8", "Fox Kitten", "Gamaredon Group", "Inception", "LazyScripter", "Mustang Panda", "Rocke", "TeamTNT", "Turla"]}], "mitre_attack_tactics": ["Command And Control"], "datamodels": ["Endpoint", "Network_Resolution"], "kill_chain_phases": ["Command And Control"]}, "detection_names": ["ESCU - Linux Ngrok Reverse Proxy Usage - Rule", "ESCU - Windows Ngrok Reverse Proxy Usage - Rule", "ESCU - Ngrok Reverse Proxy on Network - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Linux Ngrok Reverse Proxy Usage", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Protocol Tunneling"}, {"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Web Service"}]}}, {"name": "Windows Ngrok Reverse Proxy Usage", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Protocol Tunneling"}, {"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Web Service"}]}}, {"name": "Ngrok Reverse Proxy on Network", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Protocol Tunneling"}, {"mitre_attack_technique": "Proxy"}, {"mitre_attack_technique": "Web Service"}]}}]}, {"name": "Router and Infrastructure Security", "author": "Bhavin Patel, Splunk", "date": "2017-09-12", "version": 1, "id": "91c676cf-0b23-438d-abee-f6335e177e77", "description": "Validate the security configuration of network infrastructure and verify that only authorized users and systems are accessing critical assets. Core routing and switching infrastructure are common strategic targets for attackers.", "narrative": "Networking devices, such as routers and switches, are often overlooked as resources that attackers will leverage to subvert an enterprise. Advanced threats actors have shown a proclivity to target these critical assets as a means to siphon and redirect network traffic, flash backdoored operating systems, and implement cryptographic weakened algorithms to more easily decrypt network traffic.\\\nThis Analytic Story helps you gain a better understanding of how your network devices are interacting with your hosts. By compromising your network devices, attackers can obtain direct access to the company's internal infrastructure&#151; effectively increasing the attack surface and accessing private services/data.", "references": ["https://web.archive.org/web/20210420020040/https://www.fireeye.com/blog/executive-perspective/2015/09/the_new_route_toper.html", "https://www.cisco.com/c/en/us/about/security-center/event-response/synful-knock.html"], "tags": {"name": "Router and Infrastructure Security", "analytic_story": "Router and Infrastructure Security", "category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1200", "mitre_attack_technique": "Hardware Additions", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["DarkVishnya"]}, {"mitre_attack_id": "T1498", "mitre_attack_technique": "Network Denial of Service", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1557", "mitre_attack_technique": "Adversary-in-the-Middle", "mitre_attack_tactics": ["Collection", "Credential Access"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1557.002", "mitre_attack_technique": "ARP Cache Poisoning", "mitre_attack_tactics": ["Collection", "Credential Access"], "mitre_attack_groups": ["Cleaver", "LuminousMoth"]}, {"mitre_attack_id": "T1542.005", "mitre_attack_technique": "TFTP Boot", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1542", "mitre_attack_technique": "Pre-OS Boot", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1020", "mitre_attack_technique": "Automated Exfiltration", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["Gamaredon Group", "Ke3chang", "Sidewinder", "Tropic Trooper"]}, {"mitre_attack_id": "T1020.001", "mitre_attack_technique": "Traffic Duplication", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Collection", "Credential Access", "Defense Evasion", "Exfiltration", "Impact", "Initial Access", "Persistence"], "datamodels": ["Authentication", "Network_Traffic"], "kill_chain_phases": ["Actions on Objectives", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Detect New Login Attempts to Routers - Rule", "ESCU - Detect ARP Poisoning - Rule", "ESCU - Detect IPv6 Network Infrastructure Threats - Rule", "ESCU - Detect Port Security Violation - Rule", "ESCU - Detect Rogue DHCP Server - Rule", "ESCU - Detect Software Download To Network Device - Rule", "ESCU - Detect Traffic Mirroring - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect New Login Attempts to Routers", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "Detect ARP Poisoning", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hardware Additions"}, {"mitre_attack_technique": "Network Denial of Service"}, {"mitre_attack_technique": "Adversary-in-the-Middle"}, {"mitre_attack_technique": "ARP Cache Poisoning"}]}}, {"name": "Detect IPv6 Network Infrastructure Threats", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hardware Additions"}, {"mitre_attack_technique": "Network Denial of Service"}, {"mitre_attack_technique": "Adversary-in-the-Middle"}, {"mitre_attack_technique": "ARP Cache Poisoning"}]}}, {"name": "Detect Port Security Violation", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hardware Additions"}, {"mitre_attack_technique": "Network Denial of Service"}, {"mitre_attack_technique": "Adversary-in-the-Middle"}, {"mitre_attack_technique": "ARP Cache Poisoning"}]}}, {"name": "Detect Rogue DHCP Server", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hardware Additions"}, {"mitre_attack_technique": "Network Denial of Service"}, {"mitre_attack_technique": "Adversary-in-the-Middle"}]}}, {"name": "Detect Software Download To Network Device", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "TFTP Boot"}, {"mitre_attack_technique": "Pre-OS Boot"}]}}, {"name": "Detect Traffic Mirroring", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hardware Additions"}, {"mitre_attack_technique": "Automated Exfiltration"}, {"mitre_attack_technique": "Network Denial of Service"}, {"mitre_attack_technique": "Traffic Duplication"}]}}]}, {"name": "Sandworm Tools", "author": "Teoderick Contreras, Splunk", "date": "2022-04-05", "version": 1, "id": "54146850-9d26-4877-a611-2db33231e63e", "description": "This analytic story features detections that enable security analysts to identify and investigate unusual activities potentially related to the destructive malware and tools employed by the \"Sandworm\" group. This analytic story focuses on monitoring suspicious process executions, command-line activities, Master Boot Record (MBR) wiping, data destruction, and other related indicators.", "narrative": "The Sandworm group's tools are part of destructive malware operations designed to disrupt or attack Ukraine's National Information Agencies. This operation campaign consists of several malware components, including scripts, native Windows executables (LOLBINs), data wiper malware that overwrites or destroys the Master Boot Record (MBR), and file wiping using sdelete.exe on targeted hosts.", "references": ["https://cert.gov.ua/article/3718487", "https://attack.mitre.org/groups/G0034/"], "tags": {"name": "Sandworm Tools", "analytic_story": "Sandworm Tools", "category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1036.004", "mitre_attack_technique": "Masquerade Task or Service", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT41", "BITTER", "BackdoorDiplomacy", "Carbanak", "FIN13", "FIN6", "FIN7", "Fox Kitten", "Higaisa", "Kimsuky", "Lazarus Group", "Magic Hound", "Naikon", "PROMETHIUM", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1550.003", "mitre_attack_technique": "Pass the Ticket", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["APT29", "APT32", "BRONZE BUTLER"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1590.002", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Discovery", "Execution", "Impact", "Lateral Movement", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - Detect Mimikatz Using Loaded Images - Rule", "ESCU - Detect Mimikatz With PowerShell Script Block Logging - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Detect Renamed PSExec - Rule", "ESCU - Icacls Deny Command - Rule", "ESCU - Linux Iptables Firewall Modification - Rule", "ESCU - Linux Kworker Process In Writable Process Path - Rule", "ESCU - Local Account Discovery with Net - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Mimikatz PassTheTicket CommandLine Parameters - Rule", "ESCU - Permission Modification using Takeown App - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows DNS Gather Network Info - Rule", "ESCU - Windows High File Deletion Frequency - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Mimikatz Crypto Export File Extensions - Rule", "ESCU - Windows System Shutdown CommandLine - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Detect Mimikatz Using Loaded Images", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Detect Mimikatz With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Detect Renamed PSExec", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Icacls Deny Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "Linux Iptables Firewall Modification", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Linux Kworker Process In Writable Process Path", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerade Task or Service"}, {"mitre_attack_technique": "Masquerading"}]}}, {"name": "Local Account Discovery with Net", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}]}}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}}, {"name": "Mimikatz PassTheTicket CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Use Alternate Authentication Material"}, {"mitre_attack_technique": "Pass the Ticket"}]}}, {"name": "Permission Modification using Takeown App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Suspicious Copy on System32", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "Masquerading"}]}}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "System Network Connections Discovery"}, {"mitre_attack_technique": "System Owner/User Discovery"}, {"mitre_attack_technique": "System Shutdown/Reboot"}, {"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows DNS Gather Network Info", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DNS"}]}}, {"name": "Windows High File Deletion Frequency", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Windows Mimikatz Binary Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows Mimikatz Crypto Export File Extensions", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}}, {"name": "Windows System Shutdown CommandLine", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Shutdown/Reboot"}]}}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}]}, {"name": "Scheduled Tasks", "author": "Michael Haag, Splunk", "date": "2023-06-12", "version": 1, "id": "94cff925-d05c-40cf-b925-d6c5702a2399", "description": "The MITRE ATT&CK technique T1053 refers to Scheduled Task/Job. Adversaries might use task scheduling utilities to execute programs or scripts at a predefined date and time. This method is often used for persistence but can also be used for privilege escalation or to execute tasks under certain conditions. Scheduling tasks can be beneficial for an attacker as it can allow them to execute actions at times when the system is less likely to be monitored actively. Different operating systems have different utilities for task scheduling, for example, Unix-like systems have Cron, while Windows has Scheduled Tasks and At Jobs.", "narrative": "MITRE ATT&CK technique T1053, labeled \"Scheduled Task/Job\", is a categorization of methods that adversaries use to execute malicious code by scheduling tasks or jobs on a system. This technique is widely utilized for persistence, privilege escalation, and the remote execution of tasks. The technique is applicable across various environments and platforms, including Windows, Linux, and macOS.\\\nThe technique consists of multiple sub-techniques, each highlighting a distinct mechanism for scheduling tasks or jobs. These sub-techniques include T1053.001 (Scheduled Task), T1053.002 (At for Windows), T1053.003 (Cron), T1053.004 (Launchd), T1053.005 (At for Linux), and T1053.006 (Systemd Timers).\\\nScheduled Task (T1053.001) focuses on adversaries' methods for scheduling tasks on a Windows system to maintain persistence or escalate privileges. These tasks can be set to execute at specified times, in response to particular events, or after a defined time interval.\\\nThe At command for Windows (T1053.002) enables administrators to schedule tasks on a Windows system. Adversaries may exploit this command to execute programs at system startup or at a predetermined schedule for persistence.\\\nCron (T1053.003) is a built-in job scheduler found in Unix-like operating systems. Adversaries can use cron jobs to execute programs at system startup or on a scheduled basis for persistence.\\\nLaunchd (T1053.004) is a service management framework present in macOS. Adversaries may utilize launchd to maintain persistence on macOS systems by setting up daemons or agents to execute at specific times or in response to defined events.\\\nThe At command for Linux (T1053.005) enables administrators to schedule tasks on a Linux system. Adversaries can use this command to execute programs at system startup or on a scheduled basis for persistence.\\\nSystemd Timers (T1053.006) offer a means of scheduling tasks on Linux systems using systemd. Adversaries can use systemd timers to execute programs at system startup or on a scheduled basis for persistence.\\\nDetection and mitigation strategies vary for each sub-technique. For instance, monitoring the creation of scheduled tasks or looking for uncorrelated changes to tasks that do not align with known software or patch cycles can be effective for detecting malicious activity related to this technique. Mitigation strategies may involve restricting permissions and applying application control solutions to prevent adversaries from scheduling tasks.", "references": ["https://attack.mitre.org/techniques/T1053/"], "tags": {"name": "Scheduled Tasks", "analytic_story": "Scheduled Tasks", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1053.003", "mitre_attack_technique": "Cron", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT38", "Rocke"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1053.002", "mitre_attack_technique": "At", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "BRONZE BUTLER", "Threat Group-3390"]}, {"mitre_attack_id": "T1053.006", "mitre_attack_technique": "Systemd Timers", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1021.006", "mitre_attack_technique": "Windows Remote Management", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Chimera", "FIN13", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1218.014", "mitre_attack_technique": "MMC", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Linux Add Files In Known Crontab Directories - Rule", "ESCU - Linux Adding Crontab Using List Parameter - Rule", "ESCU - Linux At Allow Config File Creation - Rule", "ESCU - Linux At Application Execution - Rule", "ESCU - Linux Edit Cron Table Parameter - Rule", "ESCU - Linux Possible Append Command To At Allow Config File - Rule", "ESCU - Linux Possible Append Cronjob Entry on Existing Cronjob File - Rule", "ESCU - Linux Possible Cronjob Modification With Editor - Rule", "ESCU - Linux Service File Created In Systemd Directory - Rule", "ESCU - Linux Service Restarted - Rule", "ESCU - Linux Service Started Or Enabled - Rule", "ESCU - Possible Lateral Movement PowerShell Spawn - Rule", "ESCU - Randomly Generated Scheduled Task Name - Rule", "ESCU - Schedule Task with HTTP Command Arguments - Rule", "ESCU - Schedule Task with Rundll32 Command Trigger - Rule", "ESCU - Scheduled Task Creation on Remote Endpoint using At - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Scheduled Task Initiation on Remote Endpoint - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Schtasks scheduling job on remote system - Rule", "ESCU - Schtasks used for forcing a reboot - Rule", "ESCU - Short Lived Scheduled Task - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Svchost LOLBAS Execution Process Spawn - Rule", "ESCU - Windows Enable Win32 ScheduledJob via Registry - Rule", "ESCU - Windows Hidden Schedule Task Settings - Rule", "ESCU - Windows PowerShell ScheduleTask - Rule", "ESCU - Windows Registry Delete Task SD - Rule", "ESCU - Windows Scheduled Task Created Via XML - Rule", "ESCU - Windows Scheduled Task with Highest Privileges - Rule", "ESCU - Windows Schtasks Create Run As System - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Linux Add Files In Known Crontab Directories", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Adding Crontab Using List Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux At Allow Config File Creation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux At Application Execution", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "At"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Edit Cron Table Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Possible Append Command To At Allow Config File", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "At"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Possible Append Cronjob Entry on Existing Cronjob File", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Possible Cronjob Modification With Editor", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cron"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Service File Created In Systemd Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Service Restarted", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Linux Service Started Or Enabled", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Systemd Timers"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Possible Lateral Movement PowerShell Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Remote Management"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "MMC"}]}}, {"name": "Randomly Generated Scheduled Task Name", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Schedule Task with HTTP Command Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Schedule Task with Rundll32 Command Trigger", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Scheduled Task Creation on Remote Endpoint using At", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "At"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Scheduled Task Initiation on Remote Endpoint", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Schtasks Run Task On Demand", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Schtasks scheduling job on remote system", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Schtasks used for forcing a reboot", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Short Lived Scheduled Task", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Svchost LOLBAS Execution Process Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Windows Enable Win32 ScheduledJob via Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Windows Hidden Schedule Task Settings", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Windows PowerShell ScheduleTask", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows Registry Delete Task SD", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Scheduled Task Created Via XML", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Windows Scheduled Task with Highest Privileges", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}, {"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "Windows Schtasks Create Run As System", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}]}, {"name": "Signed Binary Proxy Execution InstallUtil", "author": "Michael Haag, Splunk", "date": "2021-11-12", "version": 1, "id": "9482a314-43dc-11ec-a3c9-acde48001122", "description": "Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility.", "narrative": "InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. InstallUtil is digitally signed by Microsoft and located in the .NET directories on a Windows system: C:\\Windows\\Microsoft.NET\\Framework\\v\\InstallUtil.exe and C:\\Windows\\Microsoft.NET\\Framework64\\v\\InstallUtil.exe. \\\nThere are multiple ways to instantiate InstallUtil and they are all outlined within Atomic Red Team - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md. Two specific ways may be used and that includes invoking via  installer assembly class constructor through .NET and via InstallUtil.exe. \\\nTypically, adversaries will utilize the most commonly found way to invoke via InstallUtil Uninstall method. \\\nNote that parallel processes, and parent process, play a role in how InstallUtil is being used. In particular, a developer using InstallUtil will spawn from VisualStudio. Adversaries, will spawn from non-standard processes like Explorer.exe, cmd.exe or PowerShell.exe. It's important to review the command-line to identify the DLL being loaded. \\\nParallel processes may also include csc.exe being used to compile a local `.cs` file. This file will be the input to the output. Developers usually do not build direct on the command shell, therefore this should raise suspicion.", "references": ["https://attack.mitre.org/techniques/T1218/004/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"], "tags": {"name": "Signed Binary Proxy Execution InstallUtil", "analytic_story": "Signed Binary Proxy Execution InstallUtil", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows InstallUtil Credential Theft - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows InstallUtil Remote Network Connection - Rule", "ESCU - Windows InstallUtil Uninstall Option - Rule", "ESCU - Windows InstallUtil Uninstall Option with Network - Rule", "ESCU - Windows InstallUtil URL in Command Line - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows DotNet Binary in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}}, {"name": "Windows InstallUtil Credential Theft", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}}, {"name": "Windows InstallUtil Remote Network Connection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Windows InstallUtil Uninstall Option", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Windows InstallUtil Uninstall Option with Network", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Windows InstallUtil URL in Command Line", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "InstallUtil"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}]}, {"name": "Silver Sparrow", "author": "Michael Haag, Splunk", "date": "2021-02-24", "version": 1, "id": "cb4f48fe-7699-11eb-af77-acde48001122", "description": "Silver Sparrow, identified by Red Canary Intelligence, is a new forward looking MacOS (Intel and M1) malicious software downloader utilizing JavaScript for execution and a launchAgent to establish persistence.", "narrative": "Silver Sparrow works is a dropper and uses typical persistence mechanisms on a Mac. It is cross platform, covering both Intel and Apple M1 architecture. To this date, no implant has been downloaded for malicious purposes. During installation of the update.pkg or updater.pkg file, the malicious software utilizes JavaScript to generate files and scripts on disk for persistence.These files later download a implant from an S3 bucket every hour. This analytic assists with identifying different types of macOS malware families establishing LaunchAgent persistence. Per SentinelOne source, it is predicted that Silver Sparrow is likely selling itself as a mechanism to 3rd party Caffiliates or pay-per-install (PPI) partners, typically seen as commodity adware/malware. Additional indicators and behaviors may be found within the references.", "references": ["https://redcanary.com/blog/clipping-silver-sparrows-wings/", "https://www.sentinelone.com/blog/5-things-you-need-to-know-about-silver-sparrow/"], "tags": {"name": "Silver Sparrow", "analytic_story": "Silver Sparrow", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1543.001", "mitre_attack_technique": "Launch Agent", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1074", "mitre_attack_technique": "Data Staged", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Volt Typhoon", "Wizard Spider"]}], "mitre_attack_tactics": ["Collection", "Command And Control", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command And Control", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Suspicious Curl Network Connection - Rule", "ESCU - Suspicious PlistBuddy Usage - Rule", "ESCU - Suspicious PlistBuddy Usage via OSquery - Rule", "ESCU - Suspicious SQLite3 LSQuarantine Behavior - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Suspicious Curl Network Connection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Suspicious PlistBuddy Usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Launch Agent"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious PlistBuddy Usage via OSquery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Launch Agent"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious SQLite3 LSQuarantine Behavior", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Staged"}]}}]}, {"name": "Snake Malware", "author": "Michael Haag, Splunk", "date": "2023-05-10", "version": 1, "id": "032bacbb-f90d-43aa-bbcc-d87f169a29c8", "description": "The Snake implant is considered the most sophisticated cyber espionage tool designed and used by Center 16 of Russia's Federal Security Service (FSB) for long-term intelligence collection on sensitive targets.", "narrative": "The Snake implant is considered the most sophisticated cyber espionage tool designed and used by Center 16 of Russia's Federal Security Service (FSB) for long-term intelligence collection on sensitive targets. To conduct operations using this tool, the FSB created a covert peer-to-peer (P2P) network of numerous Snake-infected computers worldwide. Many systems in this P2P network serve as relay nodes which route disguised operational traffic to and from Snake implants on the FSB's ultimate targets. Snake's custom communications protocols employ encryption and fragmentation for confidentiality and are designed to hamper detection and collection efforts. We consider Snake to be the most sophisticated cyber espionage tool in the FSB's arsenal. The sophistication of Snake stems from three principal areas. First, Snake employs means to achieve a rare level of stealth in its host components and network communications. Second, Snake's internal technical architecture allows for easy incorporation of new or replacement components. This design also facilitates the development and interoperability of Snake instances running on different host operating systems. We have observed interoperable Snake implants for Windows, MacOS, and Linux operating systems. Lastly, Snake demonstrates careful software engineering design and implementation, with the implant containing surprisingly few bugs given its complexity. (CISA, 2023)", "references": ["https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF"], "tags": {"name": "Snake Malware", "analytic_story": "Snake Malware", "category": ["Adversary Tactics", "Account Compromise", "Lateral Movement", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1547.006", "mitre_attack_technique": "Kernel Modules and Extensions", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Windows Service Created with Suspicious Service Path - Rule", "ESCU - Windows Service Created Within Public Path - Rule", "ESCU - Windows Snake Malware File Modification Crmlog - Rule", "ESCU - Windows Snake Malware Kernel Driver Comadmin - Rule", "ESCU - Windows Snake Malware Registry Modification wav OpenWithProgIds - Rule", "ESCU - Windows Snake Malware Service Create - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Service Created with Suspicious Service Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Windows Service Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Windows Snake Malware File Modification Crmlog", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}}, {"name": "Windows Snake Malware Kernel Driver Comadmin", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kernel Modules and Extensions"}]}}, {"name": "Windows Snake Malware Registry Modification wav OpenWithProgIds", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Snake Malware Service Create", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Kernel Modules and Extensions"}, {"mitre_attack_technique": "Service Execution"}]}}]}, {"name": "Sneaky Active Directory Persistence Tricks", "author": "Dean Luxton, Mauricio Velazco, Splunk", "date": "2022-08-29", "version": 1, "id": "f676c4c1-c769-4ecb-9611-5fd85b497c56", "description": "Monitor for activities and techniques associated with Windows Active Directory persistence techniques.", "narrative": "Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Active Directory is a centralized and hierarchical database that stores information about users, computers, and other resources on a network. It provides secure and efficient management of these resources and enables administrators to enforce security policies and delegate administrative tasks.\\\nIn 2015 Active Directory security researcher Sean Metcalf published a blog post titled `Sneaky Active Directory Persistence Tricks`. In this blog post, Sean described several methods through which an attacker could persist administrative access on an Active Directory network after having Domain Admin level rights for a short period of time. At the time of writing, 8 years after the initial blog post, most of these techniques are still possible since they abuse legitimate administrative functionality and not software vulnerabilities. Security engineers defending Active Directory networks should be aware of these technique available to adversaries post exploitation and deploy both preventive and detective security controls for them.\\\nThis analytic story groups detection opportunities for most of the techniques described on Seans blog post as well as other high impact attacks against Active Directory networks and Domain Controllers like DCSync and DCShadow. For some of these detection opportunities, it is necessary to enable the necessary GPOs and SACLs required, otherwise the event codes will not trigger. Each detection includes a list of requirements for enabling logging.", "references": ["https://adsecurity.org/?p=1929", "https://www.youtube.com/watch?v=Lz6haohGAMc&feature=youtu.be", "https://adsecurity.org/wp-content/uploads/2015/09/DEFCON23-2015-Metcalf-RedvsBlue-ADAttackAndDefense-Final.pdf", "https://attack.mitre.org/tactics/TA0003/", "https://www.dcshadow.com", "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://www.linkedin.com/pulse/mimikatz-dcsync-event-log-detections-john-dwyer"], "tags": {"name": "Sneaky Active Directory Persistence Tricks", "analytic_story": "Windows Domain Controller Attacks", "category": ["Adversary Tactics", "Account Compromise", "Lateral Movement", "Privilege Escalation"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1134.005", "mitre_attack_technique": "SID-History Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1207", "mitre_attack_technique": "Rogue Domain Controller", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1484", "mitre_attack_technique": "Domain Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1003.006", "mitre_attack_technique": "DCSync", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Earth Lusca", "LAPSUS$"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1484.001", "mitre_attack_technique": "Group Policy Modification", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Indrik Spider"]}, {"mitre_attack_id": "T1078.002", "mitre_attack_technique": "Domain Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "Chimera", "Indrik Spider", "Magic Hound", "Naikon", "Sandworm Team", "TA505", "Threat Group-1314", "Volt Typhoon", "Wizard Spider"]}, {"mitre_attack_id": "T1547.005", "mitre_attack_technique": "Security Support Provider", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Authentication", "Change", "Endpoint", "Network_Traffic"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Windows AD AdminSDHolder ACL Modified - Rule", "ESCU - Windows AD Cross Domain SID History Addition - Rule", "ESCU - Windows AD Domain Controller Audit Policy Disabled - Rule", "ESCU - Windows AD Domain Controller Promotion - Rule", "ESCU - Windows AD Domain Replication ACL Addition - Rule", "ESCU - Windows AD DSRM Account Changes - Rule", "ESCU - Windows AD DSRM Password Reset - Rule", "ESCU - Windows AD Privileged Account SID History Addition - Rule", "ESCU - Windows AD Replication Request Initiated by User Account - Rule", "ESCU - Windows AD Replication Request Initiated from Unsanctioned Location - Rule", "ESCU - Windows AD Same Domain SID History Addition - Rule", "ESCU - Windows AD ServicePrincipalName Added To Domain Account - Rule", "ESCU - Windows AD Short Lived Domain Account ServicePrincipalName - Rule", "ESCU - Windows AD Short Lived Domain Controller SPN Attribute - Rule", "ESCU - Windows AD Short Lived Server Object - Rule", "ESCU - Windows AD SID History Attribute Modified - Rule", "ESCU - Windows Admon Default Group Policy Object Modified - Rule", "ESCU - Windows Admon Group Policy Object Created - Rule", "ESCU - Windows Default Group Policy Object Modified - Rule", "ESCU - Windows Default Group Policy Object Modified with GPME - Rule", "ESCU - Windows Group Policy Object Created - Rule", "ESCU - Windows Security Support Provider Reg Query - Rule", "ESCU - Windows AD Replication Service Traffic - Rule", "ESCU - Windows AD Rogue Domain Controller Network Activity - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Mauricio Velazco, Splunk", "author_name": "Dean Luxton", "detections": [{"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Windows AD AdminSDHolder ACL Modified", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Windows AD Cross Domain SID History Addition", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SID-History Injection"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}, {"name": "Windows AD Domain Controller Audit Policy Disabled", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}]}}, {"name": "Windows AD Domain Controller Promotion", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rogue Domain Controller"}]}}, {"name": "Windows AD Domain Replication ACL Addition", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Policy Modification"}]}}, {"name": "Windows AD DSRM Account Changes", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Windows AD DSRM Password Reset", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Windows AD Privileged Account SID History Addition", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SID-History Injection"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}, {"name": "Windows AD Replication Request Initiated by User Account", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DCSync"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows AD Replication Request Initiated from Unsanctioned Location", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DCSync"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows AD Same Domain SID History Addition", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SID-History Injection"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}, {"name": "Windows AD ServicePrincipalName Added To Domain Account", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Windows AD Short Lived Domain Account ServicePrincipalName", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Windows AD Short Lived Domain Controller SPN Attribute", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rogue Domain Controller"}]}}, {"name": "Windows AD Short Lived Server Object", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rogue Domain Controller"}]}}, {"name": "Windows AD SID History Attribute Modified", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Access Token Manipulation"}, {"mitre_attack_technique": "SID-History Injection"}]}}, {"name": "Windows Admon Default Group Policy Object Modified", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}]}}, {"name": "Windows Admon Group Policy Object Created", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}]}}, {"name": "Windows Default Group Policy Object Modified", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}]}}, {"name": "Windows Default Group Policy Object Modified with GPME", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}]}}, {"name": "Windows Group Policy Object Created", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Policy Modification"}, {"mitre_attack_technique": "Group Policy Modification"}, {"mitre_attack_technique": "Domain Accounts"}]}}, {"name": "Windows Security Support Provider Reg Query", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Support Provider"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Windows AD Replication Service Traffic", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "DCSync"}, {"mitre_attack_technique": "Rogue Domain Controller"}]}}, {"name": "Windows AD Rogue Domain Controller Network Activity", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rogue Domain Controller"}]}}]}, {"name": "Spearphishing Attachments", "author": "Splunk Research Team, Splunk", "date": "2019-04-29", "version": 1, "id": "57226b40-94f3-4ce5-b101-a75f67759c27", "description": "Detect signs of malicious payloads that may indicate that your environment has been breached via a phishing attack.", "narrative": "Despite its simplicity, phishing remains the most pervasive and dangerous cyberthreat. In fact, research shows that as many as [91% of all successful attacks](https://digitalguardian.com/blog/91-percent-cyber-attacks-start-phishing-email-heres-how-protect-against-phishing) are initiated via a phishing email. \\\nAs most people know, these emails use fraudulent domains, [email scraping](https://www.cyberscoop.com/emotet-trojan-phishing-scraping-templates-cofense-geodo/), familiar contact names inserted as senders, and other tactics to lure targets into clicking a malicious link, opening an attachment with a [nefarious payload](https://www.cyberscoop.com/emotet-trojan-phishing-scraping-templates-cofense-geodo/), or entering sensitive personal information that perpetrators may intercept. This attack technique requires a relatively low level of skill and allows adversaries to easily cast a wide net. Worse, because its success relies on the gullibility of humans, it's impossible to completely \"automate\" it out of your environment. However, you can use ES and ESCU to detect and investigate potentially malicious payloads injected into your environment subsequent to a phishing attack. \\\nWhile any kind of file may contain a malicious payload, some are more likely to be perceived as benign (and thus more often escape notice) by the average victim&#151;especially when the attacker sends an email that seems to be from one of their contacts. An example is Microsoft Office files. Most corporate users are familiar with documents with the following suffixes: .doc/.docx (MS Word), .xls/.xlsx (MS Excel), and .ppt/.pptx (MS PowerPoint), so they may click without a second thought, slashing a hole in their organizations' security. \\\nFollowing is a typical series of events, according to an [article by Trend Micro](https://blog.trendmicro.com/trendlabs-security-intelligence/rising-trend-attackers-using-lnk-files-download-malware/):\\\n1. Attacker sends a phishing email. Recipient downloads the attached file, which is typically a .docx or .zip file with an embedded .lnk file\\\n1. The .lnk file executes a PowerShell script\\\n1. Powershell executes a reverse shell, rendering the exploit successful </ol>As a side note, adversaries are likely to use a tool like Empire to craft and obfuscate payloads and their post-injection activities, such as [exfiltration, lateral movement, and persistence](https://github.com/EmpireProject/Empire).\\\nThis Analytic Story focuses on detecting signs that a malicious payload has been injected into your environment. For example, one search detects outlook.exe writing a .zip file. Another looks for suspicious .lnk files launching processes.", "references": ["https://www.fireeye.com/blog/threat-research/2019/04/spear-phishing-campaign-targets-ukraine-government.html"], "tags": {"name": "Spearphishing Attachments", "analytic_story": "Spearphishing Attachments", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1036.002", "mitre_attack_technique": "Right-to-Left Override", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["BRONZE BUTLER", "BlackTech", "Ferocious Kitten", "Ke3chang", "Scarlet Mimic"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1566.002", "mitre_attack_technique": "Spearphishing Link", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1564.003", "mitre_attack_technique": "Hidden Window", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "CopyKittens", "DarkHydrus", "Deep Panda", "Gamaredon Group", "Gorgon Group", "Higaisa", "Kimsuky", "Magic Hound", "Nomadic Octopus"]}, {"mitre_attack_id": "T1564.006", "mitre_attack_technique": "Run Virtual Instance", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Execution", "Initial Access"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Gdrive suspicious file sharing - Rule", "ESCU - Gsuite suspicious calendar invite - Rule", "ESCU - Detect Outlook exe writing a zip file - Rule", "ESCU - Detect RTLO In File Name - Rule", "ESCU - Detect RTLO In Process - Rule", "ESCU - Excel Spawning PowerShell - Rule", "ESCU - Excel Spawning Windows Script Host - Rule", "ESCU - MSHTML Module Load in Office Product - Rule", "ESCU - Office Application Spawn rundll32 process - Rule", "ESCU - Office Document Creating Schedule Task - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Document Spawned Child Process To Download - Rule", "ESCU - Office Product Spawning BITSAdmin - Rule", "ESCU - Office Product Spawning CertUtil - Rule", "ESCU - Office Product Spawning MSHTA - Rule", "ESCU - Office Product Spawning Rundll32 with no DLL - Rule", "ESCU - Office Product Spawning Windows Script Host - Rule", "ESCU - Office Product Spawning Wmic - Rule", "ESCU - Office Product Writing cab or inf - Rule", "ESCU - Office Spawning Control - Rule", "ESCU - Process Creating LNK file in Suspicious Location - Rule", "ESCU - Windows ConHost with Headless Argument - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Office Product Spawning MSDT - Rule", "ESCU - Windows Phishing PDF File Executes URL Link - Rule", "ESCU - Windows Spearphishing Attachment Connect To None MS Office Domain - Rule", "ESCU - Windows Spearphishing Attachment Onenote Spawn Mshta - Rule", "ESCU - Winword Spawning Cmd - Rule", "ESCU - Winword Spawning PowerShell - Rule", "ESCU - Winword Spawning Windows Script Host - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Splunk Research Team", "detections": [{"name": "Gdrive suspicious file sharing", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}]}}, {"name": "Gsuite suspicious calendar invite", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}]}}, {"name": "Detect Outlook exe writing a zip file", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Detect RTLO In File Name", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Right-to-Left Override"}, {"mitre_attack_technique": "Masquerading"}]}}, {"name": "Detect RTLO In Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Right-to-Left Override"}, {"mitre_attack_technique": "Masquerading"}]}}, {"name": "Excel Spawning PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Excel Spawning Windows Script Host", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "MSHTML Module Load in Office Product", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Application Spawn rundll32 process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Document Creating Schedule Task", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Document Spawned Child Process To Download", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning BITSAdmin", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning CertUtil", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning MSHTA", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning Rundll32 with no DLL", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning Windows Script Host", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning Wmic", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Writing cab or inf", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Spawning Control", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Process Creating LNK file in Suspicious Location", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Link"}]}}, {"name": "Windows ConHost with Headless Argument", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hidden Window"}, {"mitre_attack_technique": "Run Virtual Instance"}]}}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Malicious Link"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "Windows Office Product Spawning MSDT", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Windows Phishing PDF File Executes URL Link", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Windows Spearphishing Attachment Connect To None MS Office Domain", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Windows Spearphishing Attachment Onenote Spawn Mshta", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Winword Spawning Cmd", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Winword Spawning PowerShell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Winword Spawning Windows Script Host", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}]}, {"name": "Splunk Vulnerabilities", "author": "Lou Stella, Splunk", "date": "2023-11-16", "version": 1, "id": "5354df00-dce2-48ac-9a64-8adb48006828", "description": "Keeping your Splunk Enterprise deployment up to date is critical and will help you reduce the risk associated with vulnerabilities in the product.", "narrative": "This analytic story includes detections that focus on attacker behavior targeted at your Splunk environment directly.", "references": ["https://www.splunk.com/en_us/product-security/announcements.html"], "tags": {"name": "Splunk Vulnerabilities", "analytic_story": "Splunk Vulnerabilities", "category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Application Security", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1083", "mitre_attack_technique": "File and Directory Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT28", "APT3", "APT32", "APT38", "APT39", "APT41", "Aoqin Dragon", "BRONZE BUTLER", "Chimera", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN13", "Fox Kitten", "Gamaredon Group", "HAFNIUM", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leafminer", "LuminousMoth", "Magic Hound", "MuddyWater", "Mustang Panda", "Patchwork", "Sandworm Team", "Sidewinder", "Sowbug", "TeamTNT", "Tropic Trooper", "Turla", "Windigo", "Winnti Group", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1210", "mitre_attack_technique": "Exploitation of Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "Dragonfly", "Earth Lusca", "FIN7", "Fox Kitten", "MuddyWater", "Threat Group-3390", "Tonto Team", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}, {"mitre_attack_id": "T1567", "mitre_attack_technique": "Exfiltration Over Web Service", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT28", "Magic Hound"]}, {"mitre_attack_id": "T1587.003", "mitre_attack_technique": "Digital Certificates", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29", "PROMETHIUM"]}, {"mitre_attack_id": "T1498", "mitre_attack_technique": "Network Denial of Service", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT28"]}, {"mitre_attack_id": "T1499.004", "mitre_attack_technique": "Application or System Exploitation", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1499", "mitre_attack_technique": "Endpoint Denial of Service", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Sandworm Team"]}, {"mitre_attack_id": "T1027.006", "mitre_attack_technique": "HTML Smuggling", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1212", "mitre_attack_technique": "Exploitation for Credential Access", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1001.003", "mitre_attack_technique": "Protocol Impersonation", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Higaisa", "Lazarus Group"]}, {"mitre_attack_id": "T1588.004", "mitre_attack_technique": "Digital Certificates", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["BlackTech", "Lazarus Group", "LuminousMoth", "Silent Librarian"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1202", "mitre_attack_technique": "Indirect Command Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1040", "mitre_attack_technique": "Network Sniffing", "mitre_attack_tactics": ["Credential Access", "Discovery"], "mitre_attack_groups": ["APT28", "APT33", "DarkVishnya", "Kimsuky", "Sandworm Team"]}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Defense Evasion", "Discovery", "Execution", "Exfiltration", "Impact", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation", "Resource Development"], "datamodels": ["Splunk_Audit", "Web"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery", "Exploitation", "Installation", "Weaponization"]}, "detection_names": ["ESCU - Detect Risky SPL using Pretrained ML Model - Rule", "ESCU - Path traversal SPL injection - Rule", "ESCU - Splunk Absolute Path Traversal Using runshellscript - Rule", "ESCU - Splunk Account Discovery Drilldown Dashboard Disclosure - Rule", "ESCU - Splunk App for Lookup File Editing RCE via User XSLT - Rule", "ESCU - Splunk Code Injection via custom dashboard leading to RCE - Rule", "ESCU - Splunk Command and Scripting Interpreter Delete Usage - Rule", "ESCU - Splunk Command and Scripting Interpreter Risky Commands - Rule", "ESCU - Splunk Command and Scripting Interpreter Risky SPL MLTK - Rule", "ESCU - Splunk csrf in the ssg kvstore client endpoint - Rule", "ESCU - Splunk Data exfiltration from Analytics Workspace using sid query - Rule", "ESCU - Splunk Digital Certificates Infrastructure Version - Rule", "ESCU - Splunk Digital Certificates Lack of Encryption - Rule", "ESCU - Splunk DoS Using Malformed SAML Request - Rule", "ESCU - Splunk DOS Via Dump SPL Command - Rule", "ESCU - Splunk DoS via Malformed S2S Request - Rule", "ESCU - Splunk DOS via printf search function - Rule", "ESCU - Splunk Edit User Privilege Escalation - Rule", "ESCU - Splunk Endpoint Denial of Service DoS Zip Bomb - Rule", "ESCU - Splunk ES DoS Investigations Manager via Investigation Creation - Rule", "ESCU - Splunk ES DoS Through Investigation Attachments - Rule", "ESCU - Splunk HTTP Response Splitting Via Rest SPL Command - Rule", "ESCU - Splunk Improperly Formatted Parameter Crashes splunkd - Rule", "ESCU - Splunk list all nonstandard admin accounts - Rule", "ESCU - Splunk Low Privilege User Can View Hashed Splunk Password - Rule", "ESCU - Splunk Path Traversal In Splunk App For Lookup File Edit - Rule", "ESCU - Persistent XSS in RapidDiag through User Interface Views - Rule", "ESCU - Splunk Persistent XSS Via URL Validation Bypass W Dashboard - Rule", "ESCU - Splunk Process Injection Forwarder Bundle Downloads - Rule", "ESCU - Splunk Protocol Impersonation Weak Encryption Configuration - Rule", "ESCU - Splunk protocol impersonation weak encryption selfsigned - Rule", "ESCU - Splunk protocol impersonation weak encryption simplerequest - Rule", "ESCU - Splunk RBAC Bypass On Indexing Preview REST Endpoint - Rule", "ESCU - Splunk RCE via Serialized Session Payload - Rule", "ESCU - Splunk RCE via Splunk Secure Gateway  Splunk Mobile alerts feature - Rule", "ESCU - Splunk RCE via User XSLT - Rule", "ESCU - Splunk Reflected XSS in the templates lists radio - Rule", "ESCU - Splunk Reflected XSS on App Search Table Endpoint - Rule", "ESCU - Splunk risky Command Abuse disclosed february 2023 - Rule", "ESCU - Splunk Stored XSS via Data Model objectName field - Rule", "ESCU - Splunk Unauthenticated Log Injection Web Service Log - Rule", "ESCU - Splunk unnecessary file extensions allowed by lookup table uploads - Rule", "ESCU - Splunk User Enumeration Attempt - Rule", "ESCU - Splunk XSS in Highlighted JSON Events - Rule", "ESCU - Splunk XSS in Monitoring Console - Rule", "ESCU - Splunk XSS in Save table dialog header in search page - Rule", "ESCU - Splunk XSS via View - Rule", "ESCU - Open Redirect in Splunk Web - Rule", "ESCU - Splunk Enterprise Information Disclosure - Rule", "ESCU - Splunk Identified SSL TLS Certificates - Rule"], "investigation_names": [], "baseline_names": ["ESCU - Splunk Command and Scripting Interpreter Risky SPL MLTK Baseline"], "author_company": "Splunk", "author_name": "Lou Stella", "detections": [{"name": "Detect Risky SPL using Pretrained ML Model", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Path traversal SPL injection", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Discovery"}]}}, {"name": "Splunk Absolute Path Traversal Using runshellscript", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Discovery"}]}}, {"name": "Splunk Account Discovery Drilldown Dashboard Disclosure", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Splunk App for Lookup File Editing RCE via User XSLT", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation of Remote Services"}]}}, {"name": "Splunk Code Injection via custom dashboard leading to RCE", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation of Remote Services"}]}}, {"name": "Splunk Command and Scripting Interpreter Delete Usage", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Splunk Command and Scripting Interpreter Risky Commands", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Splunk Command and Scripting Interpreter Risky SPL MLTK", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Splunk csrf in the ssg kvstore client endpoint", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}, {"name": "Splunk Data exfiltration from Analytics Workspace using sid query", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Web Service"}]}}, {"name": "Splunk Digital Certificates Infrastructure Version", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Digital Certificates"}]}}, {"name": "Splunk Digital Certificates Lack of Encryption", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Digital Certificates"}]}}, {"name": "Splunk DoS Using Malformed SAML Request", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Network Denial of Service"}]}}, {"name": "Splunk DOS Via Dump SPL Command", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Application or System Exploitation"}]}}, {"name": "Splunk DoS via Malformed S2S Request", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Network Denial of Service"}]}}, {"name": "Splunk DOS via printf search function", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Application or System Exploitation"}]}}, {"name": "Splunk Edit User Privilege Escalation", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Splunk Endpoint Denial of Service DoS Zip Bomb", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Endpoint Denial of Service"}]}}, {"name": "Splunk ES DoS Investigations Manager via Investigation Creation", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Endpoint Denial of Service"}]}}, {"name": "Splunk ES DoS Through Investigation Attachments", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Endpoint Denial of Service"}]}}, {"name": "Splunk HTTP Response Splitting Via Rest SPL Command", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "HTML Smuggling"}]}}, {"name": "Splunk Improperly Formatted Parameter Crashes splunkd", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Endpoint Denial of Service"}]}}, {"name": "Splunk list all nonstandard admin accounts", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}, {"name": "Splunk Low Privilege User Can View Hashed Splunk Password", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Credential Access"}]}}, {"name": "Splunk Path Traversal In Splunk App For Lookup File Edit", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Discovery"}]}}, {"name": "Persistent XSS in RapidDiag through User Interface Views", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}, {"name": "Splunk Persistent XSS Via URL Validation Bypass W Dashboard", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}, {"name": "Splunk Process Injection Forwarder Bundle Downloads", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Splunk Protocol Impersonation Weak Encryption Configuration", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Protocol Impersonation"}]}}, {"name": "Splunk protocol impersonation weak encryption selfsigned", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Digital Certificates"}]}}, {"name": "Splunk protocol impersonation weak encryption simplerequest", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Digital Certificates"}]}}, {"name": "Splunk RBAC Bypass On Indexing Preview REST Endpoint", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Access Token Manipulation"}]}}, {"name": "Splunk RCE via Serialized Session Payload", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}, {"name": "Splunk RCE via Splunk Secure Gateway  Splunk Mobile alerts feature", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation of Remote Services"}]}}, {"name": "Splunk RCE via User XSLT", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation of Remote Services"}]}}, {"name": "Splunk Reflected XSS in the templates lists radio", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}, {"name": "Splunk Reflected XSS on App Search Table Endpoint", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}, {"name": "Splunk risky Command Abuse disclosed february 2023", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}, {"mitre_attack_technique": "Indirect Command Execution"}]}}, {"name": "Splunk Stored XSS via Data Model objectName field", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}, {"name": "Splunk Unauthenticated Log Injection Web Service Log", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}, {"name": "Splunk unnecessary file extensions allowed by lookup table uploads", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}, {"name": "Splunk User Enumeration Attempt", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Splunk XSS in Highlighted JSON Events", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}, {"name": "Splunk XSS in Monitoring Console", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}, {"name": "Splunk XSS in Save table dialog header in search page", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}, {"name": "Splunk XSS via View", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}, {"name": "Open Redirect in Splunk Web", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "Splunk Enterprise Information Disclosure", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "Splunk Identified SSL TLS Certificates", "source": "network", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Network Sniffing"}]}}]}, {"name": "Spring4Shell CVE-2022-22965", "author": "Michael Haag, Splunk", "date": "2022-04-05", "version": 1, "id": "dcc19913-6918-4ed2-bbba-a6b484c10ef4", "description": "Spring4Shell is the nickname given to a zero-day vulnerability in the Spring Core Framework, a programming and configuration model for Java-based enterprise applications.", "narrative": "An attacker could exploit Spring4Shell by sending a specially crafted request to a vulnerable server. However, exploitation of Spring4Shell requires certain prerequisites, whereas the original Log4Shell vulnerability affected all versions of Log4j 2 using the default configuration. \\\nAccording to Spring, the following requirements were included in the vulnerability report, however the post cautions that there may be other ways in which this can be exploited so this may not be a complete list of requirements at this time: \\\n- Java Development Kit (JDK) 9 or greater \\\n- Apache Tomcat as the Servlet container \\\n- Packaged as a WAR \\\n- spring-webmvc or spring-webflux dependency \\\n", "references": ["https://www.tenable.com/blog/spring4shell-faq-spring-framework-remote-code-execution-vulnerability"], "tags": {"name": "Spring4Shell CVE-2022-22965", "analytic_story": "Spring4Shell CVE-2022-22965", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Application Security", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Initial Access", "Persistence"], "datamodels": ["Endpoint", "Web"], "kill_chain_phases": ["Delivery", "Installation"]}, "detection_names": ["ESCU - Java Writing JSP File - Rule", "ESCU - Linux Java Spawning Shell - Rule", "ESCU - Spring4Shell Payload URL Request - Rule", "ESCU - Web JSP Request via URL - Rule", "ESCU - Web Spring4Shell HTTP Request Class Module - Rule", "ESCU - Web Spring Cloud Function FunctionRouter - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Java Writing JSP File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Linux Java Spawning Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Spring4Shell Payload URL Request", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Web JSP Request via URL", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Web Spring4Shell HTTP Request Class Module", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Web Spring Cloud Function FunctionRouter", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}]}, {"name": "SQL Injection", "author": "Bhavin Patel, Splunk", "date": "2017-09-19", "version": 1, "id": "4f6632f5-449c-4686-80df-57625f59bab3", "description": "Use the searches in this Analytic Story to help you detect structured query language (SQL) injection attempts characterized by long URLs that contain malicious parameters.", "narrative": "It is very common for attackers to inject SQL parameters into vulnerable web applications, which then interpret the malicious SQL statements.\\\nThis Analytic Story contains a search designed to identify attempts by attackers to leverage this technique to compromise a host and gain a foothold in the target environment.", "references": ["https://capec.mitre.org/data/definitions/66.html", "https://www.incapsula.com/web-application-security/sql-injection.html"], "tags": {"name": "SQL Injection", "analytic_story": "SQL Injection", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - SQL Injection with Long URLs - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "SQL Injection with Long URLs", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}]}, {"name": "Subvert Trust Controls SIP and Trust Provider Hijacking", "author": "Michael Haag, Splunk", "date": "2023-10-10", "version": 1, "id": "7faf91b6-532a-4f18-807c-b2761e90b6dc", "description": "Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control tools when conducting signature validation checks. This technique involves modifying the Dll and FuncName Registry values that point to the dynamic link library (DLL) providing a SIP's function, which retrieves an encoded digital certificate from a signed file. By pointing to a maliciously-crafted DLL with an exported function that always returns a known good signature value, an adversary can apply an acceptable signature value to all files using that SIP. This can also enable persistent code execution, since these malicious components may be invoked by any application that performs code signing or signature validation.", "narrative": "In user mode, Windows Authenticode digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code. The signature validation process is handled via the WinVerifyTrust application programming interface (API) function, which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature. Because of the varying executable file types and corresponding signature formats, Microsoft created software components called Subject Interface Packages (SIPs) to provide a layer of abstraction between API functions and files. SIPs are responsible for enabling API functions to create, retrieve, calculate, and verify signatures. Unique SIPs exist for most file formats and are identified by globally unique identifiers (GUIDs). Adversaries may hijack SIP and trust provider components to mislead operating system and application control tools to classify malicious (or any) code as signed.", "references": ["https://attack.mitre.org/techniques/T1553/003/", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_sip_persistence.yml", "https://specterops.io/wp-content/uploads/sites/3/2022/06/SpecterOps_Subverting_Trust_in_Windows.pdf", "https://github.com/gtworek/PSBits/tree/master/SIP", "https://github.com/mattifestation/PoCSubjectInterfacePackage", "https://pentestlab.blog/2017/11/06/hijacking-digital-signatures/"], "tags": {"name": "Subvert Trust Controls SIP and Trust Provider Hijacking", "analytic_story": "Subvert Trust Controls SIP and Trust Provider Hijacking", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1553.003", "mitre_attack_technique": "SIP and Trust Provider Hijacking", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Windows Registry SIP Provider Modification - Rule", "ESCU - Windows SIP Provider Inventory - Rule", "ESCU - Windows SIP WinVerifyTrust Failed Trust Validation - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Registry SIP Provider Modification", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SIP and Trust Provider Hijacking"}]}}, {"name": "Windows SIP Provider Inventory", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SIP and Trust Provider Hijacking"}]}}, {"name": "Windows SIP WinVerifyTrust Failed Trust Validation", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SIP and Trust Provider Hijacking"}]}}]}, {"name": "Suspicious AWS Login Activities", "author": "Bhavin Patel, Splunk", "date": "2019-05-01", "version": 1, "id": "2e8948a5-5239-406b-b56b-6c59f1268af3", "description": "Monitor your AWS authentication events using your CloudTrail logs. Searches within this Analytic Story will help you stay aware of and investigate suspicious logins. ", "narrative": "It is important to monitor and control who has access to your AWS infrastructure. Detecting suspicious logins to your AWS infrastructure will provide good starting points for investigations. Abusive behaviors caused by compromised credentials can lead to direct monetary costs, as you will be billed for any EC2 instances created by the attacker.", "references": ["https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html"], "tags": {"name": "Suspicious AWS Login Activities", "analytic_story": "Suspicious AWS Login Activities", "category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}], "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation", "Resource Development"], "datamodels": ["Authentication"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Weaponization"]}, "detection_names": ["ESCU - AWS Successful Console Authentication From Multiple IPs - Rule", "ESCU - Detect AWS Console Login by User from New City - Rule", "ESCU - Detect AWS Console Login by User from New Country - Rule", "ESCU - Detect AWS Console Login by User from New Region - Rule", "ESCU - Detect new user AWS Console Login - Rule"], "investigation_names": ["ESCU - AWS Investigate User Activities By ARN - Response Task"], "baseline_names": ["ESCU - Previously seen users in CloudTrail", "ESCU - Update previously seen users in CloudTrail"], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "AWS Successful Console Authentication From Multiple IPs", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "Detect AWS Console Login by User from New City", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "Detect AWS Console Login by User from New Country", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "Detect AWS Console Login by User from New Region", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "Detect new user AWS Console Login", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}]}}]}, {"name": "Suspicious AWS S3 Activities", "author": "Bhavin Patel, Splunk", "date": "2023-04-24", "version": 3, "id": "66732346-8fb0-407b-9633-da16756567d6", "description": "Use the searches in this Analytic Story using Cloudtrail logs to to monitor your AWS S3 buckets for evidence of anomalous activity and suspicious behaviors, such as detecting open S3 buckets and buckets being accessed from a new IP, permission and policy updates to the bucket, potential misuse of other services leading to data being leaked.", "narrative": "One of the most common ways that attackers attempt to steal data from S3 is by gaining unauthorized access to S3 buckets and copying or exfiltrating data to external locations.\\\nHowever, suspicious S3 activities can refer to any unusual behavior detected within an Amazon Web Services (AWS) Simple Storage Service (S3) bucket, including unauthorized access, unusual data transfer patterns, and access attempts from unknown IP addresses. \\\nIt is important for organizations to regularly monitor S3 activities for suspicious behavior and implement security best practices, such as using access controls, encryption, and strong authentication mechanisms, to protect sensitive data stored within S3 buckets. By staying vigilant and taking proactive measures, organizations can help prevent potential security breaches and minimize the impact of attacks if they do occur.", "references": ["https://github.com/nagwww/s3-leaks", "https://www.tripwire.com/state-of-security/security-data-protection/cloud/public-aws-s3-buckets-writable/", null], "tags": {"name": "Suspicious AWS S3 Activities", "analytic_story": "Suspicious AWS S3 Activities", "category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1537", "mitre_attack_technique": "Transfer Data to Cloud Account", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1119", "mitre_attack_technique": "Automated Collection", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT1", "APT28", "Chimera", "Confucius", "FIN5", "FIN6", "Gamaredon Group", "Ke3chang", "Mustang Panda", "OilRig", "Patchwork", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1530", "mitre_attack_technique": "Data from Cloud Storage", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Fox Kitten"]}], "mitre_attack_tactics": ["Collection", "Exfiltration", "Impact"], "datamodels": [], "kill_chain_phases": ["Actions on Objectives", "Exploitation"]}, "detection_names": ["ESCU - AWS Disable Bucket Versioning - Rule", "ESCU - AWS Exfiltration via Bucket Replication - Rule", "ESCU - AWS Exfiltration via DataSync Task - Rule", "ESCU - Detect New Open S3 buckets - Rule", "ESCU - Detect New Open S3 Buckets over AWS CLI - Rule", "ESCU - Detect S3 access from a new IP - Rule", "ESCU - Detect Spike in S3 Bucket deletion - Rule"], "investigation_names": ["ESCU - AWS Investigate User Activities By ARN - Response Task", "ESCU - AWS S3 Bucket details via bucketName - Response Task", "ESCU - Get All AWS Activity From IP Address - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Investigate AWS activities via region name - Response Task"], "baseline_names": ["ESCU - Baseline of S3 Bucket deletion activity by ARN", "ESCU - Previously seen S3 bucket access by remote IP"], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "AWS Disable Bucket Versioning", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "AWS Exfiltration via Bucket Replication", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}}, {"name": "AWS Exfiltration via DataSync Task", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Automated Collection"}]}}, {"name": "Detect New Open S3 buckets", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data from Cloud Storage"}]}}, {"name": "Detect New Open S3 Buckets over AWS CLI", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data from Cloud Storage"}]}}, {"name": "Detect S3 access from a new IP", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data from Cloud Storage"}]}}, {"name": "Detect Spike in S3 Bucket deletion", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data from Cloud Storage"}]}}]}, {"name": "Suspicious AWS Traffic", "author": "Bhavin Patel, Splunk", "date": "2018-05-07", "version": 1, "id": "2e8948a5-5239-406b-b56b-6c50f2168af3", "description": "Leverage these searches to monitor your AWS network traffic for evidence of anomalous activity and suspicious behaviors, such as a spike in blocked outbound traffic in your virtual private cloud (VPC).", "narrative": "A virtual private cloud (VPC) is an on-demand managed cloud-computing service that isolates computing resources for each client. Inside the VPC container, the environment resembles a physical network. \\\nAmazon's VPC service enables you to launch EC2 instances and leverage other Amazon resources. The traffic that flows in and out of this VPC can be controlled via network access-control rules and security groups. Amazon also has a feature called VPC Flow Logs that enables you to log IP traffic going to and from the network interfaces in your VPC. This data is stored using Amazon CloudWatch Logs.\\\n Attackers may abuse the AWS infrastructure with insecure VPCs so they can co-opt AWS resources for command-and-control nodes, data exfiltration, and more. Once an EC2 instance is compromised, an attacker may initiate outbound network connections for malicious reasons. Monitoring these network traffic behaviors is crucial for understanding the type of traffic flowing in and out of your network and to alert you to suspicious activities.\\\nThe searches in this Analytic Story will monitor your AWS network traffic for evidence of anomalous activity and suspicious behaviors.", "references": ["https://rhinosecuritylabs.com/aws/hiding-cloudcobalt-strike-beacon-c2-using-amazon-apis/"], "tags": {"name": "Suspicious AWS Traffic", "analytic_story": "Suspicious AWS Traffic", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": [], "kill_chain_phases": []}, "detection_names": ["ESCU - Detect Spike in blocked Outbound Traffic from your AWS - Rule"], "investigation_names": ["ESCU - AWS Investigate User Activities By ARN - Response Task", "ESCU - AWS Network ACL Details from ID - Response Task", "ESCU - AWS Network Interface details via resourceId - Response Task", "ESCU - Get All AWS Activity From IP Address - Response Task", "ESCU - Get DNS Server History for a host - Response Task", "ESCU - Get DNS traffic ratio - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Process Information For Port Activity - Response Task", "ESCU - Get Process Responsible For The DNS Traffic - Response Task"], "baseline_names": ["ESCU - Baseline of blocked outbound traffic from AWS"], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect Spike in blocked Outbound Traffic from your AWS", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "Suspicious Cloud Authentication Activities", "author": "Rico Valdez, Splunk", "date": "2020-06-04", "version": 1, "id": "6380ebbb-55c5-4fce-b754-01fd565fb73c", "description": "Monitor your cloud authentication events. Searches within this Analytic Story leverage the recent cloud updates to the Authentication data model to help you stay aware of and investigate suspicious login activity. ", "narrative": "It is important to monitor and control who has access to your cloud infrastructure. Detecting suspicious logins will provide good starting points for investigations. Abusive behaviors caused by compromised credentials can lead to direct monetary costs, as you will be billed for any compute activity whether legitimate or otherwise.\\\nThis Analytic Story has data model versions of cloud searches leveraging Authentication data, including those looking for suspicious login activity, and cross-account activity for AWS.", "references": ["https://aws.amazon.com/blogs/security/aws-cloudtrail-now-tracks-cross-account-activity-to-its-origin/", "https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html"], "tags": {"name": "Suspicious Cloud Authentication Activities", "analytic_story": "Suspicious Cloud Authentication Activities", "category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1586", "mitre_attack_technique": "Compromise Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1586.003", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1535", "mitre_attack_technique": "Unused/Unsupported Cloud Regions", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Resource Development"], "datamodels": ["Authentication"], "kill_chain_phases": ["Exploitation", "Weaponization"]}, "detection_names": ["ESCU - AWS Cross Account Activity From Previously Unseen Account - Rule", "ESCU - Detect AWS Console Login by New User - Rule", "ESCU - Detect AWS Console Login by User from New City - Rule", "ESCU - Detect AWS Console Login by User from New Country - Rule", "ESCU - Detect AWS Console Login by User from New Region - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Investigate AWS User Activities by user field - Response Task"], "baseline_names": ["ESCU - Previously Seen AWS Cross Account Activity - Initial", "ESCU - Previously Seen AWS Cross Account Activity - Update", "ESCU - Previously Seen Users in CloudTrail - Initial", "ESCU - Previously Seen Users In CloudTrail - Update"], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "AWS Cross Account Activity From Previously Unseen Account", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Detect AWS Console Login by New User", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unsecured Credentials"}]}}, {"name": "Detect AWS Console Login by User from New City", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "Detect AWS Console Login by User from New Country", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}, {"name": "Detect AWS Console Login by User from New Region", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compromise Accounts"}, {"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Unused/Unsupported Cloud Regions"}]}}]}, {"name": "Suspicious Cloud Instance Activities", "author": "David Dorsey, Splunk", "date": "2020-08-25", "version": 1, "id": "8168ca88-392e-42f4-85a2-767579c660ce", "description": "Monitor your cloud infrastructure provisioning activities for behaviors originating from unfamiliar or unusual locations. These behaviors may indicate that malicious activities are occurring somewhere within your cloud environment.", "narrative": "Monitoring your cloud infrastructure logs allows you enable governance, compliance, and risk auditing. It is crucial for a company to monitor events and actions taken in the their cloud environments to ensure that your instances are not vulnerable to attacks. This Analytic Story identifies suspicious activities in your cloud compute instances and helps you respond and investigate those activities.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "tags": {"name": "Suspicious Cloud Instance Activities", "analytic_story": "Suspicious Cloud Instance Activities", "category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1537", "mitre_attack_technique": "Transfer Data to Cloud Account", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Defense Evasion", "Exfiltration", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Change", "Risk"], "kill_chain_phases": ["Actions on Objectives", "Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Abnormally High Number Of Cloud Instances Destroyed - Rule", "ESCU - Abnormally High Number Of Cloud Instances Launched - Rule", "ESCU - AWS AMI Atttribute Modification for Exfiltration - Rule", "ESCU - AWS EC2 Snapshot Shared Externally - Rule", "ESCU - AWS Exfiltration via EC2 Snapshot - Rule", "ESCU - AWS S3 Exfiltration Behavior Identified - Rule", "ESCU - Cloud Instance Modified By Previously Unseen User - Rule"], "investigation_names": ["ESCU - AWS Investigate User Activities By ARN - Response Task", "ESCU - Get All AWS Activity From IP Address - Response Task"], "baseline_names": ["ESCU - Baseline Of Cloud Instances Destroyed", "ESCU - Baseline Of Cloud Instances Launched", "ESCU - Previously Seen Cloud Instance Modifications By User - Initial", "ESCU - Previously Seen Cloud Instance Modifications By User - Update"], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Abnormally High Number Of Cloud Instances Destroyed", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Abnormally High Number Of Cloud Instances Launched", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "AWS AMI Atttribute Modification for Exfiltration", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}}, {"name": "AWS EC2 Snapshot Shared Externally", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}}, {"name": "AWS Exfiltration via EC2 Snapshot", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}}, {"name": "AWS S3 Exfiltration Behavior Identified", "source": "cloud", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Transfer Data to Cloud Account"}]}}, {"name": "Cloud Instance Modified By Previously Unseen User", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}}]}, {"name": "Suspicious Cloud Provisioning Activities", "author": "David Dorsey, Splunk", "date": "2018-08-20", "version": 1, "id": "51045ded-1575-4ba6-aef7-af6c73cffd86", "description": "Monitor your cloud infrastructure provisioning activities for behaviors originating from unfamiliar or unusual locations. These behaviors may indicate that malicious activities are occurring somewhere within your cloud environment.", "narrative": "Because most enterprise cloud infrastructure activities originate from familiar geographic locations, monitoring for activity from unknown or unusual regions is an important security measure. This indicator can be especially useful in environments where it is impossible to add specific IPs to an allow list because they vary.\\\nThis Analytic Story was designed to provide you with flexibility in the precision you employ in specifying legitimate geographic regions. It can be as specific as an IP address or a city, or as broad as a region (think state) or an entire country. By determining how precise you want your geographical locations to be and monitoring for new locations that haven't previously accessed your environment, you can detect adversaries as they begin to probe your environment. Since there are legitimate reasons for activities from unfamiliar locations, this is not a standalone indicator. Nevertheless, location can be a relevant piece of information that you may wish to investigate further.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf"], "tags": {"name": "Suspicious Cloud Provisioning Activities", "analytic_story": "Suspicious Cloud Provisioning Activities", "category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Change"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Cloud Provisioning Activity From Previously Unseen City - Rule", "ESCU - Cloud Provisioning Activity From Previously Unseen Country - Rule", "ESCU - Cloud Provisioning Activity From Previously Unseen IP Address - Rule", "ESCU - Cloud Provisioning Activity From Previously Unseen Region - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": ["ESCU - Previously Seen Cloud Provisioning Activity Sources - Initial", "ESCU - Previously Seen Cloud Provisioning Activity Sources - Update"], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Cloud Provisioning Activity From Previously Unseen City", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Cloud Provisioning Activity From Previously Unseen Country", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Cloud Provisioning Activity From Previously Unseen IP Address", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Cloud Provisioning Activity From Previously Unseen Region", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}]}, {"name": "Suspicious Cloud User Activities", "author": "David Dorsey, Splunk", "date": "2020-09-04", "version": 1, "id": "1ed5ce7d-5469-4232-92af-89d1a3595b39", "description": "Detect and investigate suspicious activities by users and roles in your cloud environments.", "narrative": "It seems obvious that it is critical to monitor and control the users who have access to your cloud infrastructure. Nevertheless, it's all too common for enterprises to lose track of ad-hoc accounts, leaving their servers vulnerable to attack. In fact, this was the very oversight that led to Tesla's cryptojacking attack in February, 2018.\\\nIn addition to compromising the security of your data, when bad actors leverage your compute resources, it can incur monumental costs, since you will be billed for any new instances and increased bandwidth usage.", "references": ["https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf", "https://redlock.io/blog/cryptojacking-tesla"], "tags": {"name": "Suspicious Cloud User Activities", "analytic_story": "Suspicious Cloud User Activities", "category": ["Cloud Security"], "product": ["Splunk Security Analytics for AWS", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078.004", "mitre_attack_technique": "Cloud Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Ke3chang", "LAPSUS$"]}, {"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1580", "mitre_attack_technique": "Cloud Infrastructure Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}], "mitre_attack_tactics": ["Defense Evasion", "Discovery", "Execution", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Change"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Abnormally High Number Of Cloud Infrastructure API Calls - Rule", "ESCU - Abnormally High Number Of Cloud Security Group API Calls - Rule", "ESCU - AWS IAM AccessDenied Discovery Events - Rule", "ESCU - AWS Lambda UpdateFunctionCode - Rule", "ESCU - Cloud API Calls From Previously Unseen User Roles - Rule"], "investigation_names": ["ESCU - AWS Investigate User Activities By ARN - Response Task"], "baseline_names": ["ESCU - Baseline Of Cloud Infrastructure API Calls Per User", "ESCU - Baseline Of Cloud Security Group API Calls Per User", "ESCU - Previously Seen Cloud API Calls Per User Role - Initial", "ESCU - Previously Seen Cloud API Calls Per User Role - Update"], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Abnormally High Number Of Cloud Infrastructure API Calls", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "Abnormally High Number Of Cloud Security Group API Calls", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Accounts"}, {"mitre_attack_technique": "Valid Accounts"}]}}, {"name": "AWS IAM AccessDenied Discovery Events", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cloud Infrastructure Discovery"}]}}, {"name": "AWS Lambda UpdateFunctionCode", "source": "cloud", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "User Execution"}]}}, {"name": "Cloud API Calls From Previously Unseen User Roles", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}]}}]}, {"name": "Suspicious Command-Line Executions", "author": "Bhavin Patel, Splunk", "date": "2020-02-03", "version": 2, "id": "f4368ddf-d59f-4192-84f6-778ac5a3ffc7", "description": "Leveraging the Windows command-line interface (CLI) is one of the most common attack techniques--one that is also detailed in the MITRE ATT&CK framework. Use this Analytic Story to help you identify unusual or suspicious use of the CLI on Windows systems.", "narrative": "The ability to execute arbitrary commands via the Windows CLI is a primary goal for the adversary. With access to the shell, an attacker can easily run scripts and interact with the target system. Often, attackers may only have limited access to the shell or may obtain access in unusual ways. In addition, malware may execute and interact with the CLI in ways that would be considered unusual and inconsistent with typical user activity. This provides defenders with opportunities to identify suspicious use and investigate, as appropriate. This Analytic Story contains various searches to help identify this suspicious activity, as well as others to aid you in deeper investigation.", "references": ["https://attack.mitre.org/wiki/Technique/T1059", "https://www.microsoft.com/en-us/wdsi/threats/macro-malware", "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"], "tags": {"name": "Suspicious Command-Line Executions", "analytic_story": "Suspicious Command-Line Executions", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - First time seen command line argument - Rule", "ESCU - Detect Prohibited Applications Spawning cmd exe - Rule", "ESCU - Detect suspicious processnames using pretrained model in DSDL - Rule", "ESCU - Detect Use of cmd exe to Launch Script Interpreters - Rule", "ESCU - Potentially malicious code on commandline - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - Unusually Long Command Line - Rule", "ESCU - Unusually Long Command Line - MLTK - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": ["ESCU - Baseline of Command Line Length - MLTK", "ESCU - Previously seen command line arguments"], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "First time seen command line argument", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Windows Command Shell"}]}}, {"name": "Detect Prohibited Applications Spawning cmd exe", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}]}}, {"name": "Detect suspicious processnames using pretrained model in DSDL", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Detect Use of cmd exe to Launch Script Interpreters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}]}}, {"name": "Potentially malicious code on commandline", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}]}}, {"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Unusually Long Command Line", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Unusually Long Command Line - MLTK", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "Suspicious Compiled HTML Activity", "author": "Michael Haag, Splunk", "date": "2021-02-11", "version": 1, "id": "a09db4d1-3827-4833-87b8-3a397e532119", "description": "Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code.", "narrative": "Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. CHM content is displayed using underlying components of the Internet Explorer browser loaded by the HTML Help executable program (hh.exe). \\\nHH.exe relies upon hhctrl.ocx to load CHM topics.This will load upon execution of a chm file. \\\nDuring investigation, review all parallel processes and child processes. It is possible for file modification events to occur and it is best to capture the CHM file and decompile it for further analysis. \\\nUpon usage of InfoTech Storage Handlers, ms-its, its, mk, itss.dll will load.", "references": ["https://redcanary.com/blog/introducing-atomictestharnesses/", "https://attack.mitre.org/techniques/T1218/001/", "https://docs.microsoft.com/en-us/windows/win32/api/htmlhelp/nf-htmlhelp-htmlhelpa"], "tags": {"name": "Suspicious Compiled HTML Activity", "analytic_story": "Suspicious Compiled HTML Activity", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.001", "mitre_attack_technique": "Compiled HTML File", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "APT41", "Dark Caracal", "OilRig", "Silence"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Detect HTML Help Renamed - Rule", "ESCU - Detect HTML Help Spawn Child Process - Rule", "ESCU - Detect HTML Help URL in Command Line - Rule", "ESCU - Detect HTML Help Using InfoTech Storage Handlers - Rule", "ESCU - Windows System Binary Proxy Execution Compiled HTML File Decompile - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect HTML Help Renamed", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}}, {"name": "Detect HTML Help Spawn Child Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}}, {"name": "Detect HTML Help URL in Command Line", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}}, {"name": "Detect HTML Help Using InfoTech Storage Handlers", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Compiled HTML File"}]}}, {"name": "Windows System Binary Proxy Execution Compiled HTML File Decompile", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compiled HTML File"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}]}, {"name": "Suspicious DNS Traffic", "author": "Rico Valdez, Splunk", "date": "2017-09-18", "version": 1, "id": "3c3835c0-255d-4f9e-ab84-e29ec9ec9b56", "description": "Attackers often attempt to hide within or otherwise abuse the domain name system (DNS). You can thwart attempts to manipulate this omnipresent protocol by monitoring for these types of abuses.", "narrative": "Although DNS is one of the fundamental underlying protocols that make the Internet work, it is often ignored (perhaps because of its complexity and effectiveness).  However, attackers have discovered ways to abuse the protocol to meet their objectives. One potential abuse involves manipulating DNS to hijack traffic and redirect it to an IP address under the attacker's control. This could inadvertently send users intending to visit google.com, for example, to an unrelated malicious website. Another technique involves using the DNS protocol for command-and-control activities with the attacker's malicious code or to covertly exfiltrate data. The searches within this Analytic Story look for these types of abuses.", "references": ["http://blogs.splunk.com/2015/10/01/random-words-on-entropy-and-dns/", "http://www.darkreading.com/analytics/security-monitoring/got-malware-three-signs-revealed-in-dns-traffic/d/d-id/1139680", "https://live.paloaltonetworks.com/t5/Threat-Vulnerability-Articles/What-are-suspicious-DNS-queries/ta-p/71454"], "tags": {"name": "Suspicious DNS Traffic", "analytic_story": "Suspicious DNS Traffic", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1048.003", "mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT32", "APT33", "FIN6", "FIN8", "Lazarus Group", "OilRig", "Thrip", "Wizard Spider"]}, {"mitre_attack_id": "T1071.004", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT18", "APT39", "APT41", "Chimera", "Cobalt Group", "FIN7", "Ke3chang", "LazyScripter", "OilRig", "Tropic Trooper"]}, {"mitre_attack_id": "T1048", "mitre_attack_technique": "Exfiltration Over Alternative Protocol", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1568.002", "mitre_attack_technique": "Domain Generation Algorithms", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "TA551"]}, {"mitre_attack_id": "T1189", "mitre_attack_technique": "Drive-by Compromise", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT19", "APT28", "APT32", "APT37", "APT38", "Andariel", "Axiom", "BRONZE BUTLER", "Dark Caracal", "Darkhotel", "Dragonfly", "Earth Lusca", "Elderwood", "Lazarus Group", "Leafminer", "Leviathan", "Machete", "Magic Hound", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Threat Group-3390", "Transparent Tribe", "Turla", "Windigo", "Windshift"]}, {"mitre_attack_id": "T1071", "mitre_attack_technique": "Application Layer Protocol", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["Magic Hound", "Rocke", "TeamTNT"]}], "mitre_attack_tactics": ["Command And Control", "Exfiltration", "Initial Access"], "datamodels": ["Endpoint", "Network_Resolution"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Delivery"]}, "detection_names": ["ESCU - Clients Connecting to Multiple DNS Servers - Rule", "ESCU - Detect Long DNS TXT Record Response - Rule", "ESCU - Detection of DNS Tunnels - Rule", "ESCU - DNS Query Requests Resolved by Unauthorized DNS Servers - Rule", "ESCU - DNS Exfiltration Using Nslookup App - Rule", "ESCU - Excessive Usage of NSLOOKUP App - Rule", "ESCU - Detect DGA domains using pretrained model in DSDL - Rule", "ESCU - Detect DNS Data Exfiltration using pretrained model in DSDL - Rule", "ESCU - Detect hosts connecting to dynamic domain providers - Rule", "ESCU - Detect suspicious DNS TXT records using pretrained model in DSDL - Rule", "ESCU - DNS Query Length Outliers - MLTK - Rule", "ESCU - DNS Query Length With High Standard Deviation - Rule", "ESCU - Excessive DNS Failures - Rule"], "investigation_names": ["ESCU - Get DNS Server History for a host - Response Task", "ESCU - Get DNS traffic ratio - Response Task", "ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Process Responsible For The DNS Traffic - Response Task"], "baseline_names": ["ESCU - Baseline of DNS Query Length - MLTK"], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Clients Connecting to Multiple DNS Servers", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}}, {"name": "Detect Long DNS TXT Record Response", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}}, {"name": "Detection of DNS Tunnels", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}}, {"name": "DNS Query Requests Resolved by Unauthorized DNS Servers", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DNS"}]}}, {"name": "DNS Exfiltration Using Nslookup App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Excessive Usage of NSLOOKUP App", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Detect DGA domains using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Generation Algorithms"}]}}, {"name": "Detect DNS Data Exfiltration using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}]}}, {"name": "Detect hosts connecting to dynamic domain providers", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Drive-by Compromise"}]}}, {"name": "Detect suspicious DNS TXT records using pretrained model in DSDL", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Generation Algorithms"}]}}, {"name": "DNS Query Length Outliers - MLTK", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DNS"}, {"mitre_attack_technique": "Application Layer Protocol"}]}}, {"name": "DNS Query Length With High Standard Deviation", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over Unencrypted Non-C2 Protocol"}, {"mitre_attack_technique": "Exfiltration Over Alternative Protocol"}]}}, {"name": "Excessive DNS Failures", "source": "network", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DNS"}, {"mitre_attack_technique": "Application Layer Protocol"}]}}]}, {"name": "Suspicious Emails", "author": "Bhavin Patel, Splunk", "date": "2020-01-27", "version": 1, "id": "2b1800dd-92f9-47ec-a981-fdf1351e5d55", "description": "Email remains one of the primary means for attackers to gain an initial foothold within the modern enterprise. Detect and investigate suspicious emails in your environment with the help of the searches in this Analytic Story.", "narrative": "It is a common practice for attackers of all types to leverage targeted spearphishing campaigns and mass mailers to deliver weaponized email messages and attachments. Fortunately, there are a number of ways to monitor email data in Splunk to detect suspicious content.\\\nOnce a phishing message has been detected, the next steps are to answer the following questions: \\\n1. Which users have received this or a similar message in the past?\\\n1. When did the targeted campaign begin?\\\n1. Have any users interacted with the content of the messages (by downloading an attachment or clicking on a malicious URL)?This Analytic Story provides detection searches to identify suspicious emails, as well as contextual and investigative searches to help answer some of these questions.", "references": ["https://www.splunk.com/blog/2015/06/26/phishing-hits-a-new-level-of-quality/"], "tags": {"name": "Suspicious Emails", "analytic_story": "Suspicious Emails", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}], "mitre_attack_tactics": ["Initial Access"], "datamodels": ["Email", "UEBA"], "kill_chain_phases": ["Delivery"]}, "detection_names": ["ESCU - Email Attachments With Lots Of Spaces - Rule", "ESCU - Monitor Email For Brand Abuse - Rule", "ESCU - Suspicious Email Attachment Extensions - Rule", "ESCU - Suspicious Email - UBA Anomaly - Rule"], "investigation_names": ["ESCU - Get Email Info - Response Task", "ESCU - Get Emails From Specific Sender - Response Task", "ESCU - Get Notable History - Response Task"], "baseline_names": ["ESCU - DNSTwist Domain Names"], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Email Attachments With Lots Of Spaces", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Monitor Email For Brand Abuse", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "Suspicious Email Attachment Extensions", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Suspicious Email - UBA Anomaly", "source": "deprecated", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}]}}]}, {"name": "Suspicious GCP Storage Activities", "author": "Shannon Davis, Splunk", "date": "2020-08-05", "version": 1, "id": "4d656b2e-d6be-11ea-87d0-0242ac130003", "description": "Use the searches in this Analytic Story to monitor your GCP Storage buckets for evidence of anomalous activity and suspicious behaviors, such as detecting open storage buckets and buckets being accessed from a new IP. The contextual and investigative searches will give you more information, when required.", "narrative": "Similar to other cloud providers, GCP operates on a shared responsibility model. This means the end user, you, are responsible for setting appropriate access control lists and permissions on your GCP resources.\\ This Analytics Story concentrates on detecting things like open storage buckets (both read and write) along with storage bucket access from unfamiliar users and IP addresses.", "references": ["https://cloud.google.com/blog/products/gcp/4-steps-for-hardening-your-cloud-storage-buckets-taking-charge-of-your-security", "https://rhinosecuritylabs.com/gcp/google-cloud-platform-gcp-bucket-enumeration/"], "tags": {"name": "Suspicious GCP Storage Activities", "analytic_story": "Suspicious GCP Storage Activities", "category": ["Cloud Security"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1530", "mitre_attack_technique": "Data from Cloud Storage", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["Fox Kitten"]}], "mitre_attack_tactics": ["Collection"], "datamodels": ["Email"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Detect GCP Storage access from a new IP - Rule", "ESCU - Detect New Open GCP Storage Buckets - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Shannon Davis", "detections": [{"name": "Detect GCP Storage access from a new IP", "source": "cloud", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data from Cloud Storage"}]}}, {"name": "Detect New Open GCP Storage Buckets", "source": "cloud", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data from Cloud Storage"}]}}]}, {"name": "Suspicious MSHTA Activity", "author": "Bhavin Patel, Michael Haag, Splunk", "date": "2021-01-20", "version": 2, "id": "1e5a5a53-540b-462a-8fb7-f44a4292f5dc", "description": "Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code.", "narrative": "One common adversary tactic is to bypass application control solutions via the mshta.exe process, which loads Microsoft HTML applications (mshtml.dll) with the .hta suffix. In these cases, attackers use the trusted Windows utility to proxy execution of malicious files, whether an .hta application, javascript, or VBScript.\\\nThe searches in this story help you detect and investigate suspicious activity that may indicate that an attacker is leveraging mshta.exe to execute malicious code.\\\nTriage\\\nValidate execution \\\n1. Determine if MSHTA.exe executed. Validate the OriginalFileName of MSHTA.exe and further PE metadata. If executed outside of c:\\windows\\system32 or c:\\windows\\syswow64, it should be highly suspect.\\\n1. Determine if script code was executed with MSHTA.\\\nSituational Awareness\\\nThe objective of this step is meant to identify suspicious behavioral indicators related to executed of Script code by MSHTA.exe.\\\n1. Parent process. Is the parent process a known LOLBin? Is the parent process an Office Application?\\\n1. Module loads. Are the known MSHTA.exe modules being loaded by a non-standard application? Is MSHTA loading any suspicious .DLLs?\\\n1. Network connections. Any network connections? Review the reputation of the remote IP or domain.\\\nRetrieval of script code\\\nThe objective of this step is to confirm the executed script code is benign or malicious.", "references": ["https://redcanary.com/blog/introducing-atomictestharnesses/", "https://redcanary.com/blog/windows-registry-attacks-threat-detection/", "https://attack.mitre.org/techniques/T1218/005/", "https://medium.com/@mbromileyDFIR/malware-monday-aebb456356c5"], "tags": {"name": "Suspicious MSHTA Activity", "analytic_story": "Suspicious MSHTA Activity", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA2541", "TA551"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Detect mshta inline hta execution - Rule", "ESCU - Detect mshta renamed - Rule", "ESCU - Detect MSHTA Url in Command Line - Rule", "ESCU - Detect Prohibited Applications Spawning cmd exe - Rule", "ESCU - Detect Rundll32 Inline HTA Execution - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Suspicious mshta child process - Rule", "ESCU - Suspicious mshta spawn - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": ["ESCU - Baseline of Command Line Length - MLTK", "ESCU - Previously seen command line arguments"], "author_company": "Michael Haag, Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Detect mshta inline hta execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}, {"name": "Detect mshta renamed", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}, {"name": "Detect MSHTA Url in Command Line", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}, {"name": "Detect Prohibited Applications Spawning cmd exe", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}]}}, {"name": "Detect Rundll32 Inline HTA Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Suspicious mshta child process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}, {"name": "Suspicious mshta spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}]}, {"name": "Suspicious Okta Activity", "author": "Rico Valdez, Splunk", "date": "2020-04-02", "version": 1, "id": "9cbd34af-8f39-4476-a423-bacd126c750b", "description": "Monitor your Okta environment for suspicious activities. Due to the Covid outbreak, many users are migrating over to leverage cloud services more and more. Okta is a popular tool to manage multiple users and the web-based applications they need to stay productive. The searches in this story will help monitor your Okta environment for suspicious activities and associated user behaviors.", "narrative": "Okta is the leading single sign on (SSO) provider, allowing users to authenticate once to Okta, and from there access a variety of web-based applications. These applications are assigned to users and allow administrators to centrally manage which users are allowed to access which applications. It also provides centralized logging to help understand how the applications are used and by whom. \\\nWhile SSO is a major convenience for users, it also provides attackers with an opportunity. If the attacker can gain access to Okta, they can access a variety of applications. As such monitoring the environment is important. \\\nWith people moving quickly to adopt web-based applications and ways to manage them, many are still struggling to understand how best to monitor these environments. This analytic story provides searches to help monitor this environment, and identify events and activity that warrant further investigation such as credential stuffing or password spraying attacks, and users logging in from multiple locations when travel is disallowed.", "references": ["https://attack.mitre.org/wiki/Technique/T1078", "https://owasp.org/www-community/attacks/Credential_stuffing", "https://searchsecurity.techtarget.com/answer/What-is-a-password-spraying-attack-and-how-does-it-work"], "tags": {"name": "Suspicious Okta Activity", "analytic_story": "Suspicious Okta Activity", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1078", "mitre_attack_technique": "Valid Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT33", "APT39", "APT41", "Axiom", "Carbanak", "Chimera", "Dragonfly", "FIN10", "FIN4", "FIN5", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Ke3chang", "LAPSUS$", "Lazarus Group", "Leviathan", "OilRig", "POLONIUM", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "Suckfly", "TEMP.Veles", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1078.001", "mitre_attack_technique": "Default Accounts", "mitre_attack_tactics": ["Defense Evasion", "Initial Access", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["FIN13", "Magic Hound"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1621", "mitre_attack_technique": "Multi-Factor Authentication Request Generation", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "LAPSUS$", "Scattered Spider"]}, {"mitre_attack_id": "T1550.004", "mitre_attack_technique": "Web Session Cookie", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1538", "mitre_attack_technique": "Cloud Service Dashboard", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1539", "mitre_attack_technique": "Steal Web Session Cookie", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Evilnum", "LuminousMoth"]}, {"mitre_attack_id": "T1110.004", "mitre_attack_technique": "Credential Stuffing", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Chimera"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Discovery", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Authentication", "Risk"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Multiple Okta Users With Invalid Credentials From The Same IP - Rule", "ESCU - Okta Account Locked Out - Rule", "ESCU - Okta Account Lockout Events - Rule", "ESCU - Okta Failed SSO Attempts - Rule", "ESCU - Okta MFA Exhaustion Hunt - Rule", "ESCU - Okta Mismatch Between Source and Response for Verify Push Request - Rule", "ESCU - Okta Multiple Failed Requests to Access Applications - Rule", "ESCU - Okta New API Token Created - Rule", "ESCU - Okta New Device Enrolled on Account - Rule", "ESCU - Okta Phishing Detection with FastPass Origin Check - Rule", "ESCU - Okta Risk Threshold Exceeded - Rule", "ESCU - Okta Suspicious Activity Reported - Rule", "ESCU - Okta Suspicious Use of a Session Cookie - Rule", "ESCU - Okta ThreatInsight Login Failure with High Unknown users - Rule", "ESCU - Okta ThreatInsight Suspected PasswordSpray Attack - Rule", "ESCU - Okta ThreatInsight Threat Detected - Rule", "ESCU - Okta Two or More Rejected Okta Pushes - Rule", "ESCU - Okta User Logins From Multiple Cities - Rule"], "investigation_names": ["ESCU - Investigate Okta Activity by app - Response Task", "ESCU - Investigate Okta Activity by IP Address - Response Task", "ESCU - Investigate User Activities In Okta - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Multiple Okta Users With Invalid Credentials From The Same IP", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}]}}, {"name": "Okta Account Locked Out", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}]}}, {"name": "Okta Account Lockout Events", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}]}}, {"name": "Okta Failed SSO Attempts", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}]}}, {"name": "Okta MFA Exhaustion Hunt", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}]}}, {"name": "Okta Mismatch Between Source and Response for Verify Push Request", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Multi-Factor Authentication Request Generation"}]}}, {"name": "Okta Multiple Failed Requests to Access Applications", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Web Session Cookie"}, {"mitre_attack_technique": "Cloud Service Dashboard"}]}}, {"name": "Okta New API Token Created", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}]}}, {"name": "Okta New Device Enrolled on Account", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}]}}, {"name": "Okta Phishing Detection with FastPass Origin Check", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}, {"mitre_attack_technique": "Modify Authentication Process"}]}}, {"name": "Okta Risk Threshold Exceeded", "source": "application", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Okta Suspicious Activity Reported", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}]}}, {"name": "Okta Suspicious Use of a Session Cookie", "source": "application", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal Web Session Cookie"}]}}, {"name": "Okta ThreatInsight Login Failure with High Unknown users", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}, {"mitre_attack_technique": "Credential Stuffing"}]}}, {"name": "Okta ThreatInsight Suspected PasswordSpray Attack", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}, {"mitre_attack_technique": "Password Spraying"}]}}, {"name": "Okta ThreatInsight Threat Detected", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}]}}, {"name": "Okta Two or More Rejected Okta Pushes", "source": "application", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Brute Force"}]}}, {"name": "Okta User Logins From Multiple Cities", "source": "application", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Valid Accounts"}, {"mitre_attack_technique": "Default Accounts"}]}}]}, {"name": "Suspicious Regsvcs Regasm Activity", "author": "Michael Haag, Splunk", "date": "2021-02-11", "version": 1, "id": "2cdf33a0-4805-4b61-b025-59c20f418fbe", "description": "Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code.", "narrative": " Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies. Both are digitally signed by Microsoft. The following queries assist with detecting suspicious and malicious usage of Regasm.exe and Regsvcs.exe. Upon reviewing usage of Regasm.exe Regsvcs.exe, review file modification events for possible script code written. Review parallel process events for csc.exe being utilized to compile script code.", "references": ["https://attack.mitre.org/techniques/T1218/009/", "https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/evasion/windows/applocker_evasion_regasm_regsvcs.md", "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/"], "tags": {"name": "Suspicious Regsvcs Regasm Activity", "analytic_story": "Suspicious Regsvcs Regasm Activity", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.009", "mitre_attack_technique": "Regsvcs/Regasm", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Detect Regasm Spawning a Process - Rule", "ESCU - Detect Regasm with Network Connection - Rule", "ESCU - Detect Regasm with no Command Line Arguments - Rule", "ESCU - Detect Regsvcs Spawning a Process - Rule", "ESCU - Detect Regsvcs with Network Connection - Rule", "ESCU - Detect Regsvcs with No Command Line Arguments - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Regasm Spawning a Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}}, {"name": "Detect Regasm with Network Connection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}}, {"name": "Detect Regasm with no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}}, {"name": "Detect Regsvcs Spawning a Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}}, {"name": "Detect Regsvcs with Network Connection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}}, {"name": "Detect Regsvcs with No Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvcs/Regasm"}]}}]}, {"name": "Suspicious Regsvr32 Activity", "author": "Michael Haag, Splunk", "date": "2021-01-29", "version": 1, "id": "b8bee41e-624f-11eb-ae93-0242ac130002", "description": "Monitor and detect techniques used by attackers who leverage the regsvr32.exe process to execute malicious code.", "narrative": "One common adversary tactic is to bypass application control solutions via the regsvr32.exe process. This particular bypass was popularized with \"SquiblyDoo\" using the \"scrobj.dll\" dll to load .sct scriptlets. This technique is still widely used by adversaries to bypass detection and prevention controls. The file extension of the DLL is irrelevant (it may load a .txt file extension for example). The searches in this story help you detect and investigate suspicious activity that may indicate that an adversary is leveraging regsvr32.exe to execute malicious code. Validate execution Determine if regsvr32.exe executed. Validate the OriginalFileName of regsvr32.exe and further PE metadata. If executed outside of c:\\windows\\system32 or c:\\windows\\syswow64, it should be highly suspect. Determine if script code was executed with regsvr32. Situational Awareness - The objective of this step is meant to identify suspicious behavioral indicators related to executed of Script code by regsvr32.exe. Parent process. Is the parent process a known LOLBin? Is the parent process an Office Application? Module loads.  Is regsvr32 loading any suspicious .DLLs? Unsigned or signed from non-standard paths. Network connections. Any network connections? Review the reputation of the remote IP or domain. Retrieval of Script Code - confirm the executed script code is benign or malicious.", "references": ["https://attack.mitre.org/techniques/T1218/010/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md", "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/"], "tags": {"name": "Suspicious Regsvr32 Activity", "analytic_story": "Suspicious Regsvr32 Activity", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.010", "mitre_attack_technique": "Regsvr32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "Blue Mockingbird", "Cobalt Group", "Deep Panda", "Inception", "Kimsuky", "Leviathan", "TA551", "WIRTE"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Detect Regsvr32 Application Control Bypass - Rule", "ESCU - Malicious InProcServer32 Modification - Rule", "ESCU - Regsvr32 Silent and Install Param Dll Loading - Rule", "ESCU - Regsvr32 with Known Silent Switch Cmdline - Rule", "ESCU - Suspicious Regsvr32 Register Suspicious Path - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Regsvr32 Application Control Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Malicious InProcServer32 Modification", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Regsvr32"}, {"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Regsvr32 Silent and Install Param Dll Loading", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Regsvr32 with Known Silent Switch Cmdline", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}, {"name": "Suspicious Regsvr32 Register Suspicious Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Regsvr32"}]}}]}, {"name": "Suspicious Rundll32 Activity", "author": "Michael Haag, Splunk", "date": "2021-02-03", "version": 1, "id": "80a65487-854b-42f1-80a1-935e4c170694", "description": "Monitor and detect techniques used by attackers who leverage rundll32.exe to execute arbitrary malicious code.", "narrative": "One common adversary tactic is to bypass application control solutions via the rundll32.exe process. Natively, rundll32.exe will load DLLs and is a great example of a Living off the Land Binary. Rundll32.exe may load malicious DLLs by ordinals, function names or directly. The queries in this story focus on loading default DLLs, syssetup.dll, ieadvpack.dll, advpack.dll and setupapi.dll from disk that may be abused by adversaries. Additionally, two analytics developed to assist with identifying DLLRegisterServer, Start and StartW functions being called. The searches in this story help you detect and investigate suspicious activity that may indicate that an adversary is leveraging rundll32.exe to execute malicious code.", "references": ["https://attack.mitre.org/techniques/T1218/011/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md", "https://lolbas-project.github.io/lolbas/Binaries/Rundll32"], "tags": {"name": "Suspicious Rundll32 Activity", "analytic_story": "Suspicious Rundll32 Activity", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Suspicious Rundll32 Rename - Rule", "ESCU - Detect Rundll32 Application Control Bypass - advpack - Rule", "ESCU - Detect Rundll32 Application Control Bypass - setupapi - Rule", "ESCU - Detect Rundll32 Application Control Bypass - syssetup - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Rundll32 Control RunDLL Hunt - Rule", "ESCU - Rundll32 Control RunDLL World Writable Directory - Rule", "ESCU - Rundll32 with no Command Line Arguments with Network - Rule", "ESCU - RunDLL Loading DLL By Ordinal - Rule", "ESCU - Suspicious Rundll32 dllregisterserver - Rule", "ESCU - Suspicious Rundll32 no Command Line Arguments - Rule", "ESCU - Suspicious Rundll32 StartW - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Suspicious Rundll32 Rename", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rundll32"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Detect Rundll32 Application Control Bypass - advpack", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Detect Rundll32 Application Control Bypass - setupapi", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Detect Rundll32 Application Control Bypass - syssetup", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Rundll32 Control RunDLL Hunt", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Rundll32 Control RunDLL World Writable Directory", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Rundll32 with no Command Line Arguments with Network", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "RunDLL Loading DLL By Ordinal", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Suspicious Rundll32 dllregisterserver", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Suspicious Rundll32 no Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Suspicious Rundll32 StartW", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}]}, {"name": "Suspicious Windows Registry Activities", "author": "Bhavin Patel, Splunk", "date": "2018-05-31", "version": 1, "id": "2b1800dd-92f9-47dd-a981-fdf1351e5d55", "description": "Monitor and detect registry changes initiated from remote locations, which can be a sign that an attacker has infiltrated your system.", "narrative": "Attackers are developing increasingly sophisticated techniques for hijacking target servers, while evading detection. One such technique that has become progressively more common is registry modification.\\\n The registry is a key component of the Windows operating system. It has a hierarchical database called \"registry\" that contains settings, options, and values for executables. Once the threat actor gains access to a machine, they can use reg.exe to modify their account to obtain administrator-level privileges, maintain persistence, and move laterally within the environment.\\\n The searches in this story are designed to help you detect behaviors associated with manipulation of the Windows registry.", "references": ["https://redcanary.com/blog/windows-registry-attacks-threat-detection/", "https://attack.mitre.org/wiki/Technique/T1112"], "tags": {"name": "Suspicious Windows Registry Activities", "analytic_story": "Suspicious Windows Registry Activities", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1564.001", "mitre_attack_technique": "Hidden Files and Directories", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "FIN13", "HAFNIUM", "Lazarus Group", "LuminousMoth", "Mustang Panda", "Rocke", "Transparent Tribe", "Tropic Trooper"]}, {"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1547.010", "mitre_attack_technique": "Port Monitors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1546.011", "mitre_attack_technique": "Application Shimming", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["FIN7"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1546.012", "mitre_attack_technique": "Image File Execution Options Injection", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["TEMP.Veles"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA2541", "TA551"]}, {"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Reg exe used to hide files directories via registry keys - Rule", "ESCU - Remote Registry Key modifications - Rule", "ESCU - Suspicious Changes to File Associations - Rule", "ESCU - Disable UAC Remote Restriction - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Monitor Registry Keys for Print Monitors - Rule", "ESCU - Registry Keys for Creating SHIM Databases - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule", "ESCU - Windows Mshta Execution In Registry - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Reg exe used to hide files directories via registry keys", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hidden Files and Directories"}]}}, {"name": "Remote Registry Key modifications", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "Suspicious Changes to File Associations", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Change Default File Association"}]}}, {"name": "Disable UAC Remote Restriction", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Disabling Remote User Account Control", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Monitor Registry Keys for Print Monitors", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Port Monitors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Registry Keys for Creating SHIM Databases", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Application Shimming"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Registry Keys Used For Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Image File Execution Options Injection"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Windows Mshta Execution In Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Mshta"}]}}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}]}}]}, {"name": "Suspicious WMI Use", "author": "Rico Valdez, Splunk", "date": "2018-10-23", "version": 2, "id": "c8ddc5be-69bc-4202-b3ab-4010b27d7ad5", "description": "Attackers are increasingly abusing Windows Management Instrumentation (WMI), a framework and associated utilities available on all modern Windows operating systems. Because WMI can be leveraged to manage both local and remote systems, it is important to identify the processes executed and the user context within which the activity occurred.", "narrative": "WMI is a Microsoft infrastructure for management data and operations on Windows operating systems. It includes of a set of utilities that can be leveraged to manage both local and remote Windows systems. Attackers are increasingly turning to WMI abuse in their efforts to conduct nefarious tasks, such as reconnaissance, detection of antivirus and virtual machines, code execution, lateral movement, persistence, and data exfiltration. The detection searches included in this Analytic Story are used to look for suspicious use of WMI commands that attackers may leverage to interact with remote systems. The searches specifically look for the use of WMI to run processes on remote systems. In the event that unauthorized WMI execution occurs, it will be important for analysts and investigators to determine the context of the event. These details may provide insights related to how WMI was used and to what end.", "references": ["https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf", "https://web.archive.org/web/20210921091529/https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html"], "tags": {"name": "Suspicious WMI Use", "analytic_story": "Suspicious WMI Use", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1546.003", "mitre_attack_technique": "Windows Management Instrumentation Event Subscription", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT33", "Blue Mockingbird", "FIN8", "Leviathan", "Metador", "Mustang Panda", "Turla"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1220", "mitre_attack_technique": "XSL Script Processing", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Cobalt Group", "Higaisa"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Detect WMI Event Subscription Persistence - Rule", "ESCU - PowerShell Invoke WmiExec Usage - Rule", "ESCU - Process Execution via WMI - Rule", "ESCU - Remote Process Instantiation via WMI - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Script Execution via WMI - Rule", "ESCU - Windows WMI Process Call Create - Rule", "ESCU - WMI Permanent Event Subscription - Rule", "ESCU - WMI Permanent Event Subscription - Sysmon - Rule", "ESCU - WMI Temporary Event Subscription - Rule", "ESCU - WMIC XSL Execution via URL - Rule", "ESCU - XSL Script Execution With WMIC - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task", "ESCU - Get Sysmon WMI Activity for Host - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Detect WMI Event Subscription Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation Event Subscription"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "PowerShell Invoke WmiExec Usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Process Execution via WMI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Remote Process Instantiation via WMI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Remote WMI Command Attempt", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Script Execution via WMI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Windows WMI Process Call Create", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "WMI Permanent Event Subscription", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "WMI Permanent Event Subscription - Sysmon", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation Event Subscription"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "WMI Temporary Event Subscription", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "WMIC XSL Execution via URL", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "XSL Script Processing"}]}}, {"name": "XSL Script Execution With WMIC", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "XSL Script Processing"}]}}]}, {"name": "Suspicious Zoom Child Processes", "author": "David Dorsey, Splunk", "date": "2020-04-13", "version": 1, "id": "aa3749a6-49c7-491e-a03f-4eaee5fe0258", "description": "Attackers are using Zoom as an vector to increase privileges on a sytems. This story detects new child processes of zoom and provides investigative actions for this detection.", "narrative": "Zoom is a leader in modern enterprise video communications and its usage has increased dramatically with a large amount of the population under stay-at-home orders due to the COVID-19 pandemic. With increased usage has come increased scrutiny and several security flaws have been found with this application on both Windows and macOS systems.\\\nCurrent detections focus on finding new child processes of this application on a per host basis. Investigative searches are included to gather information needed during an investigation.", "references": ["https://blog.rapid7.com/2020/04/02/dispelling-zoom-bugbears-what-you-need-to-know-about-the-latest-zoom-vulnerabilities/", "https://threatpost.com/two-zoom-zero-day-flaws-uncovered/154337/"], "tags": {"name": "Suspicious Zoom Child Processes", "analytic_story": "Suspicious Zoom Child Processes", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Execution", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Detect Prohibited Applications Spawning cmd exe - Rule", "ESCU - First Time Seen Child Process of Zoom - Rule"], "investigation_names": ["ESCU - Get Process File Activity - Response Task"], "baseline_names": ["ESCU - Previously Seen Zoom Child Processes - Initial", "ESCU - Previously Seen Zoom Child Processes - Update"], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Detect Prohibited Applications Spawning cmd exe", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Windows Command Shell"}]}}, {"name": "First Time Seen Child Process of Zoom", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}]}, {"name": "Swift Slicer", "author": "Teoderick Contreras, Rod Soto, Splunk", "date": "2023-02-01", "version": 1, "id": "234c9dd7-52fb-4d6f-aec9-075ef88a2cea", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the swift slicer malware including overwriting of files and etc.", "narrative": "Swift Slicer is one of Windows destructive malware found by ESET that was used in a targeted organizarion to wipe critical files like windows drivers and other files to destroy and left the machine inoperable. This malware like Caddy Wiper was deliver through GPO which suggests that the attacker had taken control of the victims active directory environment.", "references": ["https://twitter.com/ESETresearch/status/1618960022150729728", "https://www.welivesecurity.com/2023/01/27/swiftslicer-new-destructive-wiper-malware-ukraine/"], "tags": {"name": "Swift Slicer", "analytic_story": "Swift Slicer", "category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}], "mitre_attack_tactics": ["Defense Evasion", "Impact", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Data Destruction Recursive Exec Files Deletion - Rule", "ESCU - Windows High File Deletion Frequency - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto, Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Windows Data Destruction Recursive Exec Files Deletion", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Windows High File Deletion Frequency", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}]}, {"name": "SysAid On-Prem Software CVE-2023-47246 Vulnerability", "author": "Michael Haag, Splunk", "date": "2023-11-09", "version": 1, "id": "228f22cb-3436-4c31-8af4-370d40af7b49", "description": "A zero-day vulnerability was discovered in SysAid's on-premise software, exploited by the group DEV-0950 (Lace Tempest). The attackers uploaded a WebShell and other payloads, gaining unauthorized access and control. SysAid has released a patch (version 23.3.36) to remediate the vulnerability and urges customers to conduct a comprehensive compromise assessment.", "narrative": "The analytics tagged to this analytic story will aid in capturing initial access and some post-exploitation activities. In addition to the application spawning a shell, consider reviewing STRT's Cobalt Strike and PowerShell script block logging analytic stories. On November 2nd, SysAid's security team identified a potential vulnerability in their on-premise software. The investigation revealed a zero-day vulnerability exploited by the group known as DEV-0950 (Lace Tempest). The attackers uploaded a WebShell and other payloads into the webroot of the SysAid Tomcat web service, thereby gaining unauthorized access and control over the affected system. SysAid promptly initiated their incident response protocol and began proactive communication with their on-premise customers to implement a mitigation solution. SysAid has released a patch (version 23.3.36) to remediate the vulnerability and strongly recommends all customers to conduct a comprehensive compromise assessment of their network.", "references": ["https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification"], "tags": {"name": "SysAid On-Prem Software CVE-2023-47246 Vulnerability", "analytic_story": "SysAid On-Prem Software CVE-2023-47246 Vulnerability", "category": ["Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}], "mitre_attack_tactics": ["Command And Control", "Execution", "Initial Access", "Persistence"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command And Control", "Delivery", "Installation"]}, "detection_names": ["ESCU - Any Powershell DownloadString - Rule", "ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - Java Writing JSP File - Rule", "ESCU - Windows Java Spawning Shells - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}, {"name": "Java Writing JSP File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "Windows Java Spawning Shells", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}]}, {"name": "Text4Shell CVE-2022-42889", "author": "Michael Haag, Splunk", "date": "2022-10-26", "version": 1, "id": "95ae800d-485e-47f7-866e-8be281aa497b", "description": "A new critical vulnerability CVE-2022-42889 a.k.a. Text4shell, similar to the old Spring4Shell and Log4Shell, was originally reported by Alvaro Munoz on the very popular Apache Commons Text library.", "narrative": "Apache Commons Text is a Java library described as \"a library focused on algorithms working on strings.\" We can see it as a general-purpose text manipulation toolkit. This vulnerability affects the StringSubstitutor interpolator class, which is included in the Commons Text library. A default interpolator allows for string lookups that can lead to Remote Code Execution. This is due to a logic flaw that makes the \"script,\" \"dns,\" and \"url\" lookup keys interpolated by default, as opposed to what it should be, according to the documentation of the StringLookupFactory class. Those keys allow an attacker to execute arbitrary code via lookups. In order to exploit the vulnerabilities, the following requirements must be met - Run a version of Apache Commons Text from version 1.5 to 1.9 and use the StringSubstitutor interpolator. It is important to specify that the StringSubstitutor interpolator is not as widely used as the string substitution in Log4j, which led to Log4Shell. According to the CVSSv3 system, it scores 9.8 as CRITICAL severity. The severity is Critical due to the easy exploitability and huge potential impact in terms of confidentiality, integrity, and availability. As we showed in the previous section, you can take full control over the vulnerable system with a crafted request. However, it is not likely the vulnerabilities will have the same impacts as the previous Log4Shell and Spring4Shell.", "references": ["https://sysdig.com/blog/cve-2022-42889-text4shell/"], "tags": {"name": "Text4Shell CVE-2022-42889", "analytic_story": "Text4Shell CVE-2022-42889", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Application Security", "mitre_attack_enrichments": [{"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}], "mitre_attack_tactics": ["Initial Access", "Persistence"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery", "Installation"]}, "detection_names": ["ESCU - Exploit Public Facing Application via Apache Commons Text - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Exploit Public Facing Application via Apache Commons Text", "source": "web", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Web Shell"}, {"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}]}, {"name": "Trickbot", "author": "Rod Soto, Teoderick Contreras, Splunk", "date": "2021-04-20", "version": 1, "id": "16f93769-8342-44c0-9b1d-f131937cce8e", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the trickbot banking trojan, including looking for file writes associated with its payload, process injection, shellcode execution and data collection even in LDAP environment.", "narrative": "trickbot banking trojan campaigns targeting banks and other vertical sectors.This malware is known in Microsoft Windows OS where target security Microsoft Defender to prevent its detection and removal. steal Verizon credentials and targeting banks using its multi component modules that collect and exfiltrate data.", "references": ["https://en.wikipedia.org/wiki/Trickbot", "https://blog.checkpoint.com/2021/03/11/february-2021s-most-wanted-malware-trickbot-takes-over-following-emotet-shutdown/"], "tags": {"name": "Trickbot", "analytic_story": "Trickbot", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1087.002", "mitre_attack_technique": "Domain Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["BRONZE BUTLER", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "Ke3chang", "LAPSUS$", "MuddyWater", "OilRig", "Poseidon Group", "Sandworm Team", "Turla", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA2541", "TA551"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1590", "mitre_attack_technique": "Gather Victim Network Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["HAFNIUM"]}, {"mitre_attack_id": "T1590.005", "mitre_attack_technique": "IP Addresses", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["Andariel", "HAFNIUM", "Magic Hound"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}], "mitre_attack_tactics": ["Defense Evasion", "Discovery", "Execution", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - Account Discovery With Net App - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - Cobalt Strike Named Pipes - Rule", "ESCU - Executable File Written in Administrative SMB Share - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Mshta spawning Rundll32 OR Regsvr32 Process - Rule", "ESCU - Office Application Spawn rundll32 process - Rule", "ESCU - Office Document Executing Macro Code - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Office Product Spawning CertUtil - Rule", "ESCU - Powershell Remote Thread To Known Windows Process - Rule", "ESCU - Schedule Task with Rundll32 Command Trigger - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Rundll32 StartW - Rule", "ESCU - Trickbot Named Pipe - Rule", "ESCU - Wermgr Process Connecting To IP Check Web Services - Rule", "ESCU - Wermgr Process Create Executable File - Rule", "ESCU - Wermgr Process Spawned CMD Or Powershell Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Teoderick Contreras, Splunk", "author_name": "Rod Soto", "detections": [{"name": "Account Discovery With Net App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Domain Account"}, {"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Attempt To Stop Security Service", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Cobalt Strike Named Pipes", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Executable File Written in Administrative SMB Share", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Mshta spawning Rundll32 OR Regsvr32 Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Mshta"}]}}, {"name": "Office Application Spawn rundll32 process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Document Executing Macro Code", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawning CertUtil", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Powershell Remote Thread To Known Windows Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Schedule Task with Rundll32 Command Trigger", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious Rundll32 StartW", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Trickbot Named Pipe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Wermgr Process Connecting To IP Check Web Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Network Information"}, {"mitre_attack_technique": "IP Addresses"}]}}, {"name": "Wermgr Process Create Executable File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}}, {"name": "Wermgr Process Spawned CMD Or Powershell Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}]}, {"name": "Trusted Developer Utilities Proxy Execution", "author": "Michael Haag, Splunk", "date": "2021-01-12", "version": 1, "id": "270a67a6-55d8-11eb-ae93-0242ac130002", "description": "Monitor and detect behaviors used by attackers who leverage trusted developer utilities to execute malicious code.", "narrative": "Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering. These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions.\\\nThe searches in this story help you detect and investigate suspicious activity that may indicate that an adversary is leveraging microsoft.workflow.compiler.exe to execute malicious code.", "references": ["https://attack.mitre.org/techniques/T1127/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md", "https://lolbas-project.github.io/lolbas/Binaries/Microsoft.Workflow.Compiler/"], "tags": {"name": "Trusted Developer Utilities Proxy Execution", "analytic_story": "Trusted Developer Utilities Proxy Execution", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Suspicious microsoft workflow compiler rename - Rule", "ESCU - Suspicious microsoft workflow compiler usage - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Suspicious microsoft workflow compiler rename", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Suspicious microsoft workflow compiler usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}]}}]}, {"name": "Trusted Developer Utilities Proxy Execution MSBuild", "author": "Michael Haag, Splunk", "date": "2021-01-21", "version": 1, "id": "be3418e2-551b-11eb-ae93-0242ac130002", "description": "Monitor and detect techniques used by attackers who leverage the msbuild.exe process to execute malicious code.", "narrative": "Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio and is native to Windows. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.\\\nThe inline task capability of MSBuild that was introduced in .NET version 4 allows for C# code to be inserted into an XML project file. MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application control defenses that are configured to allow MSBuild.exe execution.\\\nThe searches in this story help you detect and investigate suspicious activity that may indicate that an adversary is leveraging msbuild.exe to execute malicious code.\\\nTriage\\\nValidate execution\\\n1. Determine if MSBuild.exe executed. Validate the OriginalFileName of MSBuild.exe and further PE metadata.\\\n1. Determine if script code was executed with MSBuild.\\\nSituational Awareness\\\nThe objective of this step is meant to identify suspicious behavioral indicators related to executed of Script code by MSBuild.exe.\\\n1. Parent process. Is the parent process a known LOLBin? Is the parent process an Office Application?\\\n1. Module loads. Are the known MSBuild.exe modules being loaded by a non-standard application? Is MSbuild loading any suspicious .DLLs?\\\n1. Network connections. Any network connections? Review the reputation of the remote IP or domain.\\\nRetrieval of script code\\\nThe objective of this step is to confirm the executed script code is benign or malicious.", "references": ["https://attack.mitre.org/techniques/T1127/001/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md", "https://github.com/infosecn1nja/MaliciousMacroMSBuild", "https://github.com/xorrior/RandomPS-Scripts/blob/master/Invoke-ExecuteMSBuild.ps1", "https://lolbas-project.github.io/lolbas/Binaries/Msbuild/", "https://github.com/MHaggis/CBR-Queries/blob/master/msbuild.md"], "tags": {"name": "Trusted Developer Utilities Proxy Execution MSBuild", "analytic_story": "Trusted Developer Utilities Proxy Execution MSBuild", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1127.001", "mitre_attack_technique": "MSBuild", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - MSBuild Suspicious Spawned By Script Process - Rule", "ESCU - Suspicious msbuild path - Rule", "ESCU - Suspicious MSBuild Rename - Rule", "ESCU - Suspicious MSBuild Spawn - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "MSBuild Suspicious Spawned By Script Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "MSBuild"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}]}}, {"name": "Suspicious msbuild path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}}, {"name": "Suspicious MSBuild Rename", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "MSBuild"}]}}, {"name": "Suspicious MSBuild Spawn", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "MSBuild"}]}}]}, {"name": "Unusual Processes", "author": "Bhavin Patel, Splunk", "date": "2020-02-04", "version": 2, "id": "f4368e3f-d59f-4192-84f6-748ac5a3ddb6", "description": "Quickly identify systems running new or unusual processes in your environment that could be indicators of suspicious activity. Processes run from unusual locations, those with conspicuously long command lines, and rare executables are all examples of activities that may warrant deeper investigation.", "narrative": "Being able to profile a host's processes within your environment can help you more quickly identify processes that seem out of place when compared to the rest of the population of hosts or asset types.\\\nThis Analytic Story lets you identify processes that are either a) not typically seen running or b) have some sort of suspicious command-line arguments associated with them. This Analytic Story will also help you identify the user running these processes and the associated process activity on the host.\\\nIn the event an unusual process is identified, it is imperative to better understand how that process was able to execute on the host, when it first executed, and whether other hosts are affected. This extra information may provide clues that can help the analyst further investigate any suspicious activity.", "references": ["https://web.archive.org/web/20210921093439/https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-two.html", "https://www.splunk.com/pdfs/technical-briefs/advanced-threat-detection-and-response-tech-brief.pdf", "https://www.sans.org/reading-room/whitepapers/logging/detecting-security-incidents-windows-workstation-event-logs-34262"], "tags": {"name": "Unusual Processes", "analytic_story": "Unusual Processes", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1036.005", "mitre_attack_technique": "Match Legitimate Name or Location", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT32", "APT39", "APT41", "Aoqin Dragon", "BRONZE BUTLER", "BackdoorDiplomacy", "Blue Mockingbird", "Carbanak", "Chimera", "Darkhotel", "Earth Lusca", "FIN13", "FIN7", "Ferocious Kitten", "Fox Kitten", "Gamaredon Group", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Poseidon Group", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "Sowbug", "TA2541", "TEMP.Veles", "TeamTNT", "Transparent Tribe", "Tropic Trooper", "Volt Typhoon", "WIRTE", "Whitefly", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1595", "mitre_attack_technique": "Active Scanning", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.011", "mitre_attack_technique": "Rundll32", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT28", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "CopyKittens", "FIN7", "Gamaredon Group", "HAFNIUM", "Kimsuky", "Lazarus Group", "LazyScripter", "Magic Hound", "MuddyWater", "Sandworm Team", "TA505", "TA551", "Wizard Spider"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1036.008", "mitre_attack_technique": "Masquerade File Type", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Volt Typhoon"]}, {"mitre_attack_id": "T1218.012", "mitre_attack_technique": "Verclsid", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}, {"mitre_attack_id": "T1588.002", "mitre_attack_technique": "Tool", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT19", "APT28", "APT29", "APT32", "APT33", "APT38", "APT39", "APT41", "Aoqin Dragon", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Carbanak", "Chimera", "Cleaver", "Cobalt Group", "CopyKittens", "DarkHydrus", "DarkVishnya", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN5", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "GALLIUM", "Gorgon Group", "HEXANE", "Inception", "IndigoZebra", "Ke3chang", "Kimsuky", "LAPSUS$", "Lazarus Group", "Leafminer", "LuminousMoth", "Magic Hound", "Metador", "Moses Staff", "MuddyWater", "POLONIUM", "Patchwork", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "TA2541", "TA505", "TEMP.Veles", "Threat Group-3390", "Thrip", "Turla", "Volt Typhoon", "WIRTE", "Whitefly", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1027.011", "mitre_attack_technique": "Fileless Storage", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "Turla"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1134.004", "mitre_attack_technique": "Parent PID Spoofing", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Discovery", "Execution", "Initial Access", "Persistence", "Privilege Escalation", "Reconnaissance", "Resource Development"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation", "Reconnaissance", "Weaponization"]}, "detection_names": ["ESCU - Uncommon Processes On Endpoint - Rule", "ESCU - Attacker Tools On Endpoint - Rule", "ESCU - Detect processes used for System Network Configuration Discovery - Rule", "ESCU - Detect Rare Executables - Rule", "ESCU - Rundll32 Shimcache Flush - Rule", "ESCU - RunDLL Loading DLL By Ordinal - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Suspicious Process Executed From Container File - Rule", "ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - Unusually Long Command Line - Rule", "ESCU - Unusually Long Command Line - MLTK - Rule", "ESCU - Verclsid CLSID Execution - Rule", "ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows NirSoft AdvancedRun - Rule", "ESCU - Windows Registry Payload Injection - Rule", "ESCU - Windows Remote Assistance Spawning Process - Rule", "ESCU - WinRM Spawning a Process - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": ["ESCU - Baseline of Command Line Length - MLTK"], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Uncommon Processes On Endpoint", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Malicious File"}]}}, {"name": "Attacker Tools On Endpoint", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Match Legitimate Name or Location"}, {"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "Active Scanning"}]}}, {"name": "Detect processes used for System Network Configuration Discovery", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Configuration Discovery"}]}}, {"name": "Detect Rare Executables", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Rundll32 Shimcache Flush", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "RunDLL Loading DLL By Ordinal", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Rundll32"}]}}, {"name": "Suspicious Copy on System32", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "Masquerading"}]}}, {"name": "Suspicious Process Executed From Container File", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Malicious File"}, {"mitre_attack_technique": "Masquerade File Type"}]}}, {"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Unusually Long Command Line", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Unusually Long Command Line - MLTK", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": []}}, {"name": "Verclsid CLSID Execution", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Verclsid"}, {"mitre_attack_technique": "System Binary Proxy Execution"}]}}, {"name": "Windows DotNet Binary in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}}, {"name": "Windows NirSoft AdvancedRun", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Tool"}]}}, {"name": "Windows Registry Payload Injection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "Fileless Storage"}]}}, {"name": "Windows Remote Assistance Spawning Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "WinRM Spawning a Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}, {"name": "Wscript Or Cscript Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Parent PID Spoofing"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}]}, {"name": "Use of Cleartext Protocols", "author": "Bhavin Patel, Splunk", "date": "2017-09-15", "version": 1, "id": "826e6431-aeef-41b4-9fc0-6d0985d65a21", "description": "Leverage searches that detect cleartext network protocols that may leak credentials or should otherwise be encrypted.", "narrative": "Various legacy protocols operate by default in the clear, without the protections of encryption. This potentially leaks sensitive information that can be exploited by passively sniffing network traffic. Depending on the protocol, this information could be highly sensitive, or could allow for session hijacking. In addition, these protocols send authentication information, which would allow for the harvesting of usernames and passwords that could potentially be used to authenticate and compromise secondary systems.", "references": ["https://www.monkey.org/~dugsong/dsniff/"], "tags": {"name": "Use of Cleartext Protocols", "analytic_story": "Use of Cleartext Protocols", "category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [], "mitre_attack_tactics": [], "datamodels": ["Network_Traffic"], "kill_chain_phases": []}, "detection_names": ["ESCU - Protocols passing authentication in cleartext - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Process Information For Port Activity - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Protocols passing authentication in cleartext", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}]}, {"name": "VMware Aria Operations vRealize CVE-2023-20887", "author": "Michael Haag, Splunk", "date": "2023-06-21", "version": 1, "id": "99171cdd-57a1-4b8a-873c-f8bee12e2025", "description": "CVE-2023-20887 is a critical vulnerability affecting VMware's vRealize Network Insight (also known as VMware Aria Operations for Networks). It allows a remote, unauthenticated attacker to execute arbitrary commands with root privileges via the Apache Thrift RPC interface. The exploit, which has a severity score of 9.8, targets an endpoint (\"/saas./resttosaasservlet\") in the application and delivers a malicious payload designed to create a reverse shell, granting the attacker control over the system. VMware has released an advisory recommending users to update to the latest version to mitigate this threat.", "narrative": "CVE-2023-20887 is a highly critical vulnerability found in VMware's vRealize Network Insight. This software is widely used for intelligent operations management across physical, virtual, and cloud environments, so a vulnerability in it poses a significant risk to many organizations.\\\nThis particular vulnerability lies in the application's Apache Thrift RPC interface. The exploit allows an attacker to inject commands that are executed with root privileges, leading to a potential total compromise of the system. The attacker does not need to be authenticated, which further increases the risk posed by this vulnerability.\\\nThe exploit operates by sending a specially crafted payload to the \"/saas./resttosaasservlet\" endpoint. This payload contains a reverse shell command, which, when executed, allows the attacker to remotely control the victim's system. This control is obtained at the root level, providing the attacker with the ability to perform any action on the system.\\\nWhat makes this vulnerability particularly dangerous is its high severity score of 9.8, indicating it is a critical threat. It's also noteworthy that the exploitation of this vulnerability leaves specific indicators such as abnormal traffic to the \"/saas./resttosaasservlet\" endpoint and suspicious ncat commands in network traffic, which can help in its detection.\\\nVMware has acknowledged the vulnerability and has published a security advisory recommending that users update to the latest version of the software. This update effectively patches the vulnerability and protects systems from this exploit. It's crucial that all users of the affected versions of VMware's vRealize Network Insight promptly apply the update to mitigate the risk posed by CVE-2023-20887.", "references": ["https://nvd.nist.gov/vuln/detail/CVE-2023-20887", "https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/", "https://viz.greynoise.io/tag/VMware-aria-operations-for-networks-rce-attempt?days=30", "https://github.com/sinsinology/CVE-2023-20887"], "tags": {"name": "VMware Aria Operations vRealize CVE-2023-20887", "analytic_story": "VMware Aria Operations vRealize CVE-2023-20887", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1210", "mitre_attack_technique": "Exploitation of Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "Dragonfly", "Earth Lusca", "FIN7", "Fox Kitten", "MuddyWater", "Threat Group-3390", "Tonto Team", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - VMWare Aria Operations Exploit Attempt - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "VMWare Aria Operations Exploit Attempt", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "External Remote Services"}, {"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "Exploitation of Remote Services"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}]}, {"name": "VMware Server Side Injection and Privilege Escalation", "author": "Michael Haag, Splunk", "date": "2022-05-19", "version": 1, "id": "d6d51cc2-a092-43b7-9f61-1159943afe39", "description": "Recently disclosed CVE-2022-22954 and CVE-2022-22960 have been identified in the wild abusing VMware products to compromise internet faced devices and escalate privileges.", "narrative": "On April 6, 2022, VMware published VMSA-2022-0011, which discloses multiple vulnerabilities discovered by Steven Seeley (mr_me) of Qihoo 360 Vulnerability Research Institute. The most critical of the CVEs published in VMSA-2022-0011 is CVE-2022-22954, which is a server-side template injection issue with a CVSSv3 base score of 9.8. The vulnerability allows an unauthenticated user with network access to the web interface to execute an arbitrary shell command as the VMware user. To further exacerbate this issue, VMware also disclosed a local privilege escalation issue, CVE-2022-22960, which permits the attacker to gain root after exploiting CVE-2022-22954. Products affected include - VMware Workspace ONE Access (Access) 20.10.0.0 - 20.10.0.1, 21.08.0.0 - 21.08.0.1 and VMware Identity Manager (vIDM) 3.3.3 - 3.3.6.", "references": ["https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954/rapid7-analysis", "https://www.cisa.gov/uscert/ncas/alerts/aa22-138b"], "tags": {"name": "VMware Server Side Injection and Privilege Escalation", "analytic_story": "VMware Server Side Injection and Privilege Escalation", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}, {"mitre_attack_id": "T1133", "mitre_attack_technique": "External Remote Services", "mitre_attack_tactics": ["Initial Access", "Persistence"], "mitre_attack_groups": ["APT18", "APT28", "APT29", "APT41", "Chimera", "Dragonfly", "FIN13", "FIN5", "GALLIUM", "GOLD SOUTHFIELD", "Ke3chang", "Kimsuky", "LAPSUS$", "Leviathan", "OilRig", "Sandworm Team", "Scattered Spider", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Wizard Spider"]}], "mitre_attack_tactics": ["Initial Access", "Persistence"], "datamodels": ["Web"], "kill_chain_phases": ["Delivery", "Installation"]}, "detection_names": ["ESCU - VMware Server Side Template Injection Hunt - Rule", "ESCU - VMware Workspace ONE Freemarker Server-side Template Injection - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "VMware Server Side Template Injection Hunt", "source": "web", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}, {"name": "VMware Workspace ONE Freemarker Server-side Template Injection", "source": "web", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}, {"mitre_attack_technique": "External Remote Services"}]}}]}, {"name": "Volt Typhoon", "author": "Teoderick Contreras, Splunk", "date": "2023-05-25", "version": 1, "id": "f73010e4-49eb-44ef-9f3f-2c25a1ae5415", "description": "This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the \"Volt Typhoon\" group targeting critical infrastructure organizations in United States and Guam. The affected organizations include the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors. This Analytic story looks for suspicious process execution, lolbin execution, command-line activity, lsass dump and many more.", "narrative": "Volt Typhoon is a state sponsored group typically focuses on espionage and information gathering.\\ Based on Microsoft Threat Intelligence, This threat actor group puts strong emphasis on stealth in this campaign by relying almost exclusively on living-off-the-land techniques and hands-on-keyboard activity. \\ They issue commands via the command line to :\\ (1) collect data, including credentials from local and network systems, \\ (2) put the data into an archive file to stage it for exfiltration, and then \\ (3) use the stolen valid credentials to maintain persistence. \\ In addition, Volt Typhoon tries to blend into normal network activity by routing traffic through compromised small office and home office (SOHO) network equipment, including routers, firewalls, and VPN hardware. They have also been observed using custom versions of open-source tools to establish a command and control (C2) channel over proxy to further stay under the radar.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"], "tags": {"name": "Volt Typhoon", "analytic_story": "Volt Typhoon", "category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.007", "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "Cobalt Group", "Earth Lusca", "Ember Bear", "Evilnum", "FIN6", "FIN7", "Higaisa", "Indrik Spider", "Kimsuky", "LazyScripter", "Leafminer", "Molerats", "MoustachedBouncer", "MuddyWater", "Sidewinder", "Silence", "TA505", "Turla"]}, {"mitre_attack_id": "T1003.003", "mitre_attack_technique": "NTDS", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "Chimera", "Dragonfly", "FIN13", "FIN6", "Fox Kitten", "HAFNIUM", "Ke3chang", "LAPSUS$", "Mustang Panda", "Sandworm Team", "Volt Typhoon", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1003.001", "mitre_attack_technique": "LSASS Memory", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT1", "APT28", "APT3", "APT32", "APT33", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Cleaver", "Earth Lusca", "FIN13", "FIN6", "FIN8", "Fox Kitten", "GALLIUM", "HAFNIUM", "Indrik Spider", "Ke3chang", "Kimsuky", "Leafminer", "Leviathan", "Magic Hound", "MuddyWater", "OilRig", "PLATINUM", "Sandworm Team", "Silence", "TEMP.Veles", "Threat Group-3390", "Volt Typhoon", "Whitefly", "Wizard Spider"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "FIN13", "TA505"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "FIN7", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla", "Volt Typhoon"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1590.002", "mitre_attack_technique": "DNS", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1110.003", "mitre_attack_technique": "Password Spraying", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT29", "APT33", "Chimera", "HEXANE", "Lazarus Group", "Leafminer", "Silent Librarian"]}, {"mitre_attack_id": "T1110", "mitre_attack_technique": "Brute Force", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT38", "APT39", "DarkVishnya", "Dragonfly", "FIN5", "Fox Kitten", "HEXANE", "OilRig", "Turla"]}, {"mitre_attack_id": "T1090.001", "mitre_attack_technique": "Internal Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT39", "FIN13", "Higaisa", "Lazarus Group", "Strider", "Turla", "Volt Typhoon"]}, {"mitre_attack_id": "T1090", "mitre_attack_technique": "Proxy", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT41", "Blue Mockingbird", "CopyKittens", "Earth Lusca", "Fox Kitten", "LAPSUS$", "Magic Hound", "MoustachedBouncer", "POLONIUM", "Sandworm Team", "Turla", "Volt Typhoon", "Windigo"]}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Defense Evasion", "Discovery", "Execution", "Impact", "Lateral Movement", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", "ESCU - Creation of Shadow Copy - Rule", "ESCU - Creation of Shadow Copy with wmic and powershell - Rule", "ESCU - Detect PsExec With accepteula Flag - Rule", "ESCU - Dump LSASS via comsvcs DLL - Rule", "ESCU - Elevated Group Discovery With Net - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Extraction of Registry Hives - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Malicious PowerShell Process - Execution Policy Bypass - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Ntdsutil Export NTDS - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Remote WMI Command Attempt - Rule", "ESCU - Suspicious Copy on System32 - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows DNS Gather Network Info - Rule", "ESCU - Windows Ldifde Directory Object Behavior - Rule", "ESCU - Windows Mimikatz Binary Execution - Rule", "ESCU - Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos - Rule", "ESCU - Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos - Rule", "ESCU - Windows Multiple Invalid Users Fail To Authenticate Using Kerberos - Rule", "ESCU - Windows Multiple Invalid Users Failed To Authenticate Using NTLM - Rule", "ESCU - Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials - Rule", "ESCU - Windows Multiple Users Failed To Authenticate From Host Using NTLM - Rule", "ESCU - Windows Multiple Users Failed To Authenticate From Process - Rule", "ESCU - Windows Multiple Users Failed To Authenticate Using Kerberos - Rule", "ESCU - Windows Multiple Users Remotely Failed To Authenticate From Host - Rule", "ESCU - Windows Proxy Via Netsh - Rule", "ESCU - Windows Proxy Via Registry - Rule", "ESCU - Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM - Rule", "ESCU - Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials - Rule", "ESCU - Windows Unusual Count Of Users Failed To Auth Using Kerberos - Rule", "ESCU - Windows Unusual Count Of Users Failed To Authenticate From Process - Rule", "ESCU - Windows Unusual Count Of Users Failed To Authenticate Using NTLM - Rule", "ESCU - Windows Unusual Count Of Users Remotely Failed To Auth From Host - Rule", "ESCU - Windows WMI Process Call Create - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Cmdline Tool Not Executed In CMD Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "JavaScript"}]}}, {"name": "Creation of Shadow Copy", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Creation of Shadow Copy with wmic and powershell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Detect PsExec With accepteula Flag", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}]}}, {"name": "Dump LSASS via comsvcs DLL", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Memory"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Elevated Group Discovery With Net", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Extraction of Registry Hives", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}}, {"name": "Malicious PowerShell Process - Execution Policy Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}}, {"name": "Network Connection Discovery With Arp", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Ntdsutil Export NTDS", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "NTDS"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Processes launching netsh", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Remote WMI Command Attempt", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}, {"name": "Suspicious Copy on System32", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "Masquerading"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "System Network Connections Discovery"}, {"mitre_attack_technique": "System Owner/User Discovery"}, {"mitre_attack_technique": "System Shutdown/Reboot"}, {"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows DNS Gather Network Info", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DNS"}]}}, {"name": "Windows Ldifde Directory Object Behavior", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "Windows Mimikatz Binary Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Invalid Users Fail To Authenticate Using Kerberos", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Invalid Users Failed To Authenticate Using NTLM", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Users Failed To Authenticate From Host Using NTLM", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Users Failed To Authenticate From Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Users Failed To Authenticate Using Kerberos", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Multiple Users Remotely Failed To Authenticate From Host", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Proxy Via Netsh", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Internal Proxy"}, {"mitre_attack_technique": "Proxy"}]}}, {"name": "Windows Proxy Via Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Internal Proxy"}, {"mitre_attack_technique": "Proxy"}]}}, {"name": "Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Users Failed To Auth Using Kerberos", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Users Failed To Authenticate From Process", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Users Failed To Authenticate Using NTLM", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows Unusual Count Of Users Remotely Failed To Auth From Host", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Spraying"}, {"mitre_attack_technique": "Brute Force"}]}}, {"name": "Windows WMI Process Call Create", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}]}, {"name": "Warzone RAT", "author": "Teoderick Contreras, Splunk", "date": "2023-07-26", "version": 1, "id": "8dc84752-f4da-4285-931c-bddd5c4d440b", "description": "This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might related to warzone (Ave maria) RAT. This analytic story looks for suspicious process execution, command-line activity, downloads, persistence, defense evasion and more.", "narrative": "Warzone RAT, also known as Ave Maria, is a sophisticated remote access trojan (RAT) that surfaced in January 2019. Originally offered as malware-as-a-service (MaaS), it rapidly gained notoriety and became one of the most prominent malware strains by 2020. Its exceptional capabilities in stealth and anti-analysis techniques make it a formidable threat in various campaigns, including those targeting sensitive geopolitical entities. The malware's impact is particularly concerning as it has been associated with attacks aimed at compromising government employees and military personnel, notably within India's National Informatics Centre (NIC). Its deployment by several advanced persistent threat (APT) groups further underlines its potency and adaptability in the hands of skilled threat actors. Warzone RAT's capabilities enable attackers to gain unauthorized access to targeted systems, facilitating data theft, surveillance, and the potential to wreak havoc on critical infrastructures. As the threat landscape continues to evolve, vigilance and robust cybersecurity measures are crucial in defending against such malicious tools.\" This version provides more context and elaborates on the malware's capabilities and potential impact. Additionally, it emphasizes the importance of cybersecurity measures to combat such threats effectively.", "references": ["https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/warzone#:~:text=Warzone%20RAT%20(AKA%20Ave%20Maria)%20is%20a%20remote%20access%20trojan,is%20as%20an%20information%20stealer.", "https://tccontre.blogspot.com/2020/02/2-birds-in-one-stone-ave-maria-wshrat.html"], "tags": {"name": "Warzone RAT", "analytic_story": "Warzone RAT", "category": ["Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1555.003", "mitre_attack_technique": "Credentials from Web Browsers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT3", "APT33", "APT37", "Ajax Security Team", "FIN6", "HEXANE", "Inception", "Kimsuky", "LAPSUS$", "Leafminer", "Molerats", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Stealth Falcon", "TA505", "ZIRCONIUM"]}, {"mitre_attack_id": "T1566", "mitre_attack_technique": "Phishing", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["Axiom", "GOLD SOUTHFIELD"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1497", "mitre_attack_technique": "Virtualization/Sandbox Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": ["Darkhotel"]}, {"mitre_attack_id": "T1497.003", "mitre_attack_technique": "Time Based Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "Volt Typhoon", "ZIRCONIUM"]}, {"mitre_attack_id": "T1204.001", "mitre_attack_technique": "Malicious Link", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1204", "mitre_attack_technique": "User Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1553.005", "mitre_attack_technique": "Mark-of-the-Web Bypass", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "TA505"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1055.002", "mitre_attack_technique": "Portable Executable Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Gorgon Group", "Rocke"]}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Discovery", "Execution", "Initial Access", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Create Remote Thread In Shell Application - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Hide User Account From Sign-In Screen - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Office Application Drop Executable - Rule", "ESCU - Office Product Spawn CMD Process - Rule", "ESCU - Ping Sleep Batch Command - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Windows Bypass UAC via Pkgmgr Tool - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows Defender Exclusion Registry Entry - Rule", "ESCU - Windows ISO LNK File Creation - Rule", "ESCU - Windows Mark Of The Web Bypass - Rule", "ESCU - Windows Modify Registry MaxConnectionPerServer - Rule", "ESCU - Windows Phishing Recent ISO Exec Registry - Rule", "ESCU - Windows Process Injection Remote Thread - Rule", "ESCU - Windows Unsigned DLL Side-Loading - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Create Remote Thread In Shell Application", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Hide User Account From Sign-In Screen", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Non Chrome Process Accessing Chrome Default Dir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}}, {"name": "Non Firefox Process Access Firefox Profile Dir", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}, {"mitre_attack_technique": "Credentials from Web Browsers"}]}}, {"name": "Office Application Drop Executable", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Office Product Spawn CMD Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Spearphishing Attachment"}]}}, {"name": "Ping Sleep Batch Command", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Virtualization/Sandbox Evasion"}, {"mitre_attack_technique": "Time Based Evasion"}]}}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Windows Bypass UAC via Pkgmgr Tool", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}]}}, {"name": "Windows Credentials from Password Stores Chrome LocalState Access", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows Credentials from Password Stores Chrome Login Data Access", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows Defender Exclusion Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows ISO LNK File Creation", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}, {"mitre_attack_technique": "Malicious Link"}, {"mitre_attack_technique": "User Execution"}]}}, {"name": "Windows Mark Of The Web Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Mark-of-the-Web Bypass"}]}}, {"name": "Windows Modify Registry MaxConnectionPerServer", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Phishing Recent ISO Exec Registry", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Phishing"}]}}, {"name": "Windows Process Injection Remote Thread", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Portable Executable Injection"}]}}, {"name": "Windows Unsigned DLL Side-Loading", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Side-Loading"}]}}]}, {"name": "WhisperGate", "author": "Teoderick Contreras, Splunk", "date": "2022-01-19", "version": 1, "id": "0150e6e5-3171-442e-83f8-1ccd8599569b", "description": "This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the destructive malware targeting Ukrainian organizations also known as \"WhisperGate\". This analytic story looks for suspicious process execution, command-line activity, downloads, DNS queries and more.", "narrative": "WhisperGate/DEV-0586 is destructive malware operation found by MSTIC (Microsoft Threat Inteligence Center) targeting multiple organizations in Ukraine. This operation campaign consist of several malware component like the downloader that abuses discord platform, overwrite or destroy master boot record (MBR) of the targeted host, wiper and also windows defender evasion techniques.", "references": ["https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3"], "tags": {"name": "WhisperGate", "analytic_story": "WhisperGate", "category": ["Data Destruction", "Malware", "Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1021.002", "mitre_attack_technique": "SMB/Windows Admin Shares", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT28", "APT3", "APT32", "APT39", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "FIN13", "FIN8", "Fox Kitten", "Ke3chang", "Lazarus Group", "Moses Staff", "Orangeworm", "Sandworm Team", "Threat Group-1314", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1021.003", "mitre_attack_technique": "Distributed Component Object Model", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1497", "mitre_attack_technique": "Virtualization/Sandbox Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": ["Darkhotel"]}, {"mitre_attack_id": "T1497.003", "mitre_attack_technique": "Time Based Evasion", "mitre_attack_tactics": ["Defense Evasion", "Discovery"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1059.005", "mitre_attack_technique": "Visual Basic", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT32", "APT33", "APT37", "APT38", "APT39", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Earth Lusca", "FIN13", "FIN4", "FIN7", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "Transparent Tribe", "Turla", "WIRTE", "Windshift"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1218.004", "mitre_attack_technique": "InstallUtil", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Mustang Panda", "menuPass"]}, {"mitre_attack_id": "T1588.002", "mitre_attack_technique": "Tool", "mitre_attack_tactics": ["Resource Development"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT19", "APT28", "APT29", "APT32", "APT33", "APT38", "APT39", "APT41", "Aoqin Dragon", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Carbanak", "Chimera", "Cleaver", "Cobalt Group", "CopyKittens", "DarkHydrus", "DarkVishnya", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN5", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "GALLIUM", "Gorgon Group", "HEXANE", "Inception", "IndigoZebra", "Ke3chang", "Kimsuky", "LAPSUS$", "Lazarus Group", "Leafminer", "LuminousMoth", "Magic Hound", "Metador", "Moses Staff", "MuddyWater", "POLONIUM", "Patchwork", "PittyTiger", "Sandworm Team", "Silence", "Silent Librarian", "TA2541", "TA505", "TEMP.Veles", "Threat Group-3390", "Thrip", "Turla", "Volt Typhoon", "WIRTE", "Whitefly", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1561.002", "mitre_attack_technique": "Disk Structure Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1561", "mitre_attack_technique": "Disk Wipe", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1134.004", "mitre_attack_technique": "Parent PID Spoofing", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}], "mitre_attack_tactics": ["Defense Evasion", "Discovery", "Execution", "Impact", "Lateral Movement", "Persistence", "Privilege Escalation", "Resource Development"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation", "Weaponization"]}, "detection_names": ["ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - Attempt To Stop Security Service - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - Excessive File Deletion In WinDefender Folder - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Impacket Lateral Movement Commandline Parameters - Rule", "ESCU - Impacket Lateral Movement smbexec CommandLine Parameters - Rule", "ESCU - Impacket Lateral Movement WMIExec Commandline Parameters - Rule", "ESCU - Malicious PowerShell Process - Encoded Command - Rule", "ESCU - Ping Sleep Batch Command - Rule", "ESCU - Powershell Remove Windows Defender Directory - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Process Deleting Its Process File Path - Rule", "ESCU - Suspicious Process DNS Query Known Abuse Web Services - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - Suspicious Process With Discord DNS Query - Rule", "ESCU - Windows DotNet Binary in Non Standard Path - Rule", "ESCU - Windows High File Deletion Frequency - Rule", "ESCU - Windows InstallUtil in Non Standard Path - Rule", "ESCU - Windows NirSoft AdvancedRun - Rule", "ESCU - Windows NirSoft Utilities - Rule", "ESCU - Windows Raw Access To Master Boot Record Drive - Rule", "ESCU - Wscript Or Cscript Suspicious Child Process - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Add or Set Windows Defender Exclusion", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Attempt To Stop Security Service", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Excessive File Deletion In WinDefender Folder", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Impacket Lateral Movement Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement smbexec CommandLine Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Impacket Lateral Movement WMIExec Commandline Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}, {"mitre_attack_technique": "SMB/Windows Admin Shares"}, {"mitre_attack_technique": "Distributed Component Object Model"}, {"mitre_attack_technique": "Windows Management Instrumentation"}, {"mitre_attack_technique": "Windows Service"}]}}, {"name": "Malicious PowerShell Process - Encoded Command", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Obfuscated Files or Information"}]}}, {"name": "Ping Sleep Batch Command", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Virtualization/Sandbox Evasion"}, {"mitre_attack_technique": "Time Based Evasion"}]}}, {"name": "Powershell Remove Windows Defender Directory", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Process Deleting Its Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Suspicious Process DNS Query Known Abuse Web Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious Process With Discord DNS Query", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Visual Basic"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows DotNet Binary in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}}, {"name": "Windows High File Deletion Frequency", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Windows InstallUtil in Non Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "InstallUtil"}]}}, {"name": "Windows NirSoft AdvancedRun", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Tool"}]}}, {"name": "Windows NirSoft Utilities", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Tool"}]}}, {"name": "Windows Raw Access To Master Boot Record Drive", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disk Structure Wipe"}, {"mitre_attack_technique": "Disk Wipe"}]}}, {"name": "Wscript Or Cscript Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}, {"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Parent PID Spoofing"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}]}, {"name": "Windows Attack Surface Reduction", "author": "Michael Haag, Splunk", "date": "2023-11-27", "version": 1, "id": "1d61c474-3cd6-4c23-8c68-f128ac4b209b", "description": "This story contains detections for Windows Attack Surface Reduction (ASR) events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This story contains detections for ASR events that are generated when a process or application attempts to perform an action that is blocked by an ASR rule.", "narrative": "This story contains detections for Windows Attack Surface Reduction (ASR) events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This story contains detections for ASR events that are generated when a process or application attempts to perform an action that is blocked by an ASR rule. It includes detections for both block and audit event IDs. Block event IDs are generated when an action is blocked by an ASR rule, while audit event IDs are generated when an action that would be blocked by an ASR rule is allowed to proceed for auditing purposes.", "references": ["https://asrgen.streamlit.app/", "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-worldwide"], "tags": {"name": "Windows Attack Surface Reduction", "analytic_story": "Windows Attack Surface Reduction", "category": ["Best Practices"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1566.001", "mitre_attack_technique": "Spearphishing Attachment", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT-C-36", "APT1", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "IndigoZebra", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1566.002", "mitre_attack_technique": "Spearphishing Link", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT3", "APT32", "APT33", "APT39", "BlackTech", "Cobalt Group", "Confucius", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "Evilnum", "FIN4", "FIN7", "FIN8", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "Transparent Tribe", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Initial Access"], "datamodels": [], "kill_chain_phases": ["Delivery", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Windows Defender ASR Audit Events - Rule", "ESCU - Windows Defender ASR Block Events - Rule", "ESCU - Windows Defender ASR Registry Modification - Rule", "ESCU - Windows Defender ASR Rule Disabled - Rule", "ESCU - Windows Defender ASR Rules Stacking - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows Defender ASR Audit Events", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Spearphishing Link"}]}}, {"name": "Windows Defender ASR Block Events", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Spearphishing Link"}]}}, {"name": "Windows Defender ASR Registry Modification", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Defender ASR Rule Disabled", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Defender ASR Rules Stacking", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Spearphishing Attachment"}, {"mitre_attack_technique": "Spearphishing Link"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}]}, {"name": "Windows BootKits", "author": "Michael Haag, Splunk", "date": "2023-05-03", "version": 1, "id": "1bef004d-23b2-4c49-8ceb-b59af0745317", "description": "Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.", "narrative": "A bootkit is a sophisticated type of malware that targets the boot sectors of a hard drive, specifically the Master Boot Record (MBR) and Volume Boot Record (VBR). The MBR is the initial section of the disk that is loaded following the hardware initialization process executed by the Basic Input/Output System (BIOS). It houses the boot loader, which is responsible for loading the operating system. In contrast, the VBR is located at the beginning of each partition and contains the boot code for that specific partition. When an adversary gains raw access to the boot drive, they can overwrite the MBR or VBR, effectively diverting the execution during startup from the standard boot loader to the malicious code injected by the attacker. This tampering allows the malware to load before the operating system, enabling it to execute malicious activities stealthily and maintain persistence on the compromised system. Bootkits are particularly dangerous because they can bypass security measures implemented by the operating system and antivirus software. Since they load before the operating system, they can easily evade detection and manipulate the system's behavior from the earliest stages of the boot process. This capability makes bootkits a potent tool in an attacker's arsenal for gaining unauthorized access, stealing sensitive information, or launching further attacks on other systems. To defend against bootkit attacks, organizations should implement multiple layers of security, including strong endpoint protection, regular software updates, user awareness training, and monitoring for unusual system behavior. Additionally, hardware-based security features, such as Unified Extensible Firmware Interface (UEFI) Secure Boot and Trusted Platform Module (TPM), can help protect the integrity of the boot process and reduce the risk of bootkit infections.", "references": ["https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/", "https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/"], "tags": {"name": "Windows BootKits", "analytic_story": "Windows BootKits", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1542.001", "mitre_attack_technique": "System Firmware", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1542", "mitre_attack_technique": "Pre-OS Boot", "mitre_attack_tactics": ["Defense Evasion", "Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Windows BootLoader Inventory - Rule", "ESCU - Windows Registry BootExecute Modification - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows BootLoader Inventory", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Firmware"}, {"mitre_attack_technique": "Pre-OS Boot"}]}}, {"name": "Windows Registry BootExecute Modification", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Pre-OS Boot"}, {"mitre_attack_technique": "Registry Run Keys / Startup Folder"}]}}]}, {"name": "Windows Certificate Services", "author": "Michael Haag, Splunk", "date": "2023-02-01", "version": 1, "id": "b92b4ac7-0026-4408-a6b5-c1d20658e124", "description": "Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material.", "narrative": "The following analytic story focuses on remote and local endpoint certificate theft and abuse. Authentication certificates can be both stolen and forged. For example, AD CS certificates can be stolen from encrypted storage (in the Registry or files), misplaced certificate files (i.e. Unsecured Credentials), or directly from the Windows certificate store via various crypto APIs.With appropriate enrollment rights, users and/or machines within a domain can also request and/or manually renew certificates from enterprise certificate authorities (CA). This enrollment process defines various settings and permissions associated with the certificate. Abusing certificates for authentication credentials may enable other behaviors such as Lateral Movement. Certificate-related misconfigurations may also enable opportunities for Privilege Escalation, by way of allowing users to impersonate or assume privileged accounts or permissions via the identities (SANs) associated with a certificate. These abuses may also enable Persistence via stealing or forging certificates that can be used as Valid Accounts for the duration of the certificate's validity, despite user password resets. Authentication certificates can also be stolen and forged for machine accounts. (MITRE ATT&CK)", "references": ["https://attack.mitre.org/techniques/T1649/"], "tags": {"name": "Windows Certificate Services", "analytic_story": "Windows Certificate Services", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1649", "mitre_attack_technique": "Steal or Forge Authentication Certificates", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1560", "mitre_attack_technique": "Archive Collected Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT32", "Axiom", "Dragonfly", "FIN6", "Ke3chang", "Lazarus Group", "Leviathan", "LuminousMoth", "Patchwork", "menuPass"]}, {"mitre_attack_id": "T1552.004", "mitre_attack_technique": "Private Keys", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", "mitre_attack_tactics": ["Defense Evasion", "Lateral Movement"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Collection", "Command And Control", "Credential Access", "Defense Evasion", "Execution", "Lateral Movement"], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": ["Command And Control", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Certutil exe certificate extraction - Rule", "ESCU - Detect Certify Command Line Arguments - Rule", "ESCU - Detect Certify With PowerShell Script Block Logging - Rule", "ESCU - Detect Certipy File Modifications - Rule", "ESCU - Steal or Forge Authentication Certificates Behavior Identified - Rule", "ESCU - Windows Export Certificate - Rule", "ESCU - Windows Mimikatz Crypto Export File Extensions - Rule", "ESCU - Windows PowerShell Export Certificate - Rule", "ESCU - Windows PowerShell Export PfxCertificate - Rule", "ESCU - Windows Steal Authentication Certificates - ESC1 Abuse - Rule", "ESCU - Windows Steal Authentication Certificates - ESC1 Authentication - Rule", "ESCU - Windows Steal Authentication Certificates Certificate Issued - Rule", "ESCU - Windows Steal Authentication Certificates Certificate Request - Rule", "ESCU - Windows Steal Authentication Certificates CertUtil Backup - Rule", "ESCU - Windows Steal Authentication Certificates CryptoAPI - Rule", "ESCU - Windows Steal Authentication Certificates CS Backup - Rule", "ESCU - Windows Steal Authentication Certificates Export Certificate - Rule", "ESCU - Windows Steal Authentication Certificates Export PfxCertificate - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Certutil exe certificate extraction", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "Detect Certify Command Line Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Detect Certify With PowerShell Script Block Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Detect Certipy File Modifications", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}, {"mitre_attack_technique": "Archive Collected Data"}]}}, {"name": "Steal or Forge Authentication Certificates Behavior Identified", "source": "endpoint", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}}, {"name": "Windows Export Certificate", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Private Keys"}, {"mitre_attack_technique": "Unsecured Credentials"}, {"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}}, {"name": "Windows Mimikatz Crypto Export File Extensions", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}}, {"name": "Windows PowerShell Export Certificate", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Private Keys"}, {"mitre_attack_technique": "Unsecured Credentials"}, {"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}}, {"name": "Windows PowerShell Export PfxCertificate", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Private Keys"}, {"mitre_attack_technique": "Unsecured Credentials"}, {"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}}, {"name": "Windows Steal Authentication Certificates - ESC1 Abuse", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}}, {"name": "Windows Steal Authentication Certificates - ESC1 Authentication", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}, {"mitre_attack_technique": "Use Alternate Authentication Material"}]}}, {"name": "Windows Steal Authentication Certificates Certificate Issued", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}}, {"name": "Windows Steal Authentication Certificates Certificate Request", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}}, {"name": "Windows Steal Authentication Certificates CertUtil Backup", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}}, {"name": "Windows Steal Authentication Certificates CryptoAPI", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}}, {"name": "Windows Steal Authentication Certificates CS Backup", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}}, {"name": "Windows Steal Authentication Certificates Export Certificate", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}}, {"name": "Windows Steal Authentication Certificates Export PfxCertificate", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Authentication Certificates"}]}}]}, {"name": "Windows Defense Evasion Tactics", "author": "David Dorsey, Splunk", "date": "2018-05-31", "version": 1, "id": "56e24a28-5003-4047-b2db-e8f3c4618064", "description": "Detect tactics used by malware to evade defenses on Windows endpoints. A few of these include suspicious `reg.exe` processes, files hidden with `attrib.exe` and disabling user-account control, among many others ", "narrative": "Defense evasion is a tactic--identified in the MITRE ATT&CK framework--that adversaries employ in a variety of ways to bypass or defeat defensive security measures. There are many techniques enumerated by the MITRE ATT&CK framework that are applicable in this context. This Analytic Story includes searches designed to identify the use of such techniques on Windows platforms.", "references": ["https://attack.mitre.org/wiki/Defense_Evasion"], "tags": {"name": "Windows Defense Evasion Tactics", "analytic_story": "Windows Defense Evasion Tactics", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1564.001", "mitre_attack_technique": "Hidden Files and Directories", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "FIN13", "HAFNIUM", "Lazarus Group", "LuminousMoth", "Mustang Panda", "Rocke", "Transparent Tribe", "Tropic Trooper"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1027.004", "mitre_attack_technique": "Compile After Delivery", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Gamaredon Group", "MuddyWater", "Rocke"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1564", "mitre_attack_technique": "Hide Artifacts", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1562.004", "mitre_attack_technique": "Disable or Modify System Firewall", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT38", "Carbanak", "Dragonfly", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1222.001", "mitre_attack_technique": "Windows File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1218.014", "mitre_attack_technique": "MMC", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1564.004", "mitre_attack_technique": "NTFS File Attributes", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1562.002", "mitre_attack_technique": "Disable Windows Event Logging", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound", "Threat Group-3390"]}, {"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1505.004", "mitre_attack_technique": "IIS Components", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1574.001", "mitre_attack_technique": "DLL Search Order Hijacking", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT41", "Aquatic Panda", "BackdoorDiplomacy", "Evilnum", "RTM", "Threat Group-3390", "Tonto Team", "Whitefly", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1134.004", "mitre_attack_technique": "Parent PID Spoofing", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1055.001", "mitre_attack_technique": "Dynamic-link Library Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["BackdoorDiplomacy", "Lazarus Group", "Leviathan", "Putter Panda", "TA505", "Tropic Trooper", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1218", "mitre_attack_technique": "System Binary Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}], "mitre_attack_tactics": ["Defense Evasion", "Discovery", "Execution", "Impact", "Persistence", "Privilege Escalation"], "datamodels": ["Change", "Endpoint", "Risk", "Web"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Reg exe used to hide files directories via registry keys - Rule", "ESCU - Remote Registry Key modifications - Rule", "ESCU - Add or Set Windows Defender Exclusion - Rule", "ESCU - CSC Net On The Fly Compilation - Rule", "ESCU - Disable Registry Tool - Rule", "ESCU - Disable Security Logs Using MiniNt Registry - Rule", "ESCU - Disable Show Hidden Files - Rule", "ESCU - Disable UAC Remote Restriction - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Disable Windows SmartScreen Protection - Rule", "ESCU - Disabling CMD Application - Rule", "ESCU - Disabling ControlPanel - Rule", "ESCU - Disabling Firewall with Netsh - Rule", "ESCU - Disabling FolderOptions Windows Feature - Rule", "ESCU - Disabling NoRun Windows App - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Disabling SystemRestore In Registry - Rule", "ESCU - Disabling Task Manager - Rule", "ESCU - Eventvwr UAC Bypass - Rule", "ESCU - Excessive number of service control start as disabled - Rule", "ESCU - Firewall Allowed Program Enable - Rule", "ESCU - FodHelper UAC Bypass - Rule", "ESCU - Hiding Files And Directories With Attrib exe - Rule", "ESCU - NET Profiler UAC bypass - Rule", "ESCU - Powershell Windows Defender Exclusion Commands - Rule", "ESCU - Sdclt UAC Bypass - Rule", "ESCU - SilentCleanup UAC Bypass - Rule", "ESCU - SLUI RunAs Elevated - Rule", "ESCU - SLUI Spawning a Process - Rule", "ESCU - Suspicious Reg exe Process - Rule", "ESCU - UAC Bypass MMC Load Unsigned Dll - Rule", "ESCU - Windows Alternate DataStream - Base64 Content - Rule", "ESCU - Windows Alternate DataStream - Executable Content - Rule", "ESCU - Windows Alternate DataStream - Process Execution - Rule", "ESCU - Windows Command and Scripting Interpreter Hunting Path Traversal - Rule", "ESCU - Windows Command and Scripting Interpreter Path Traversal Exec - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows Defender Exclusion Registry Entry - Rule", "ESCU - Windows Disable Change Password Through Registry - Rule", "ESCU - Windows Disable Lock Workstation Feature Through Registry - Rule", "ESCU - Windows Disable Notification Center - Rule", "ESCU - Windows Disable Windows Event Logging Disable HTTP Logging - Rule", "ESCU - Windows Disable Windows Group Policy Features Through Registry - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows DISM Remove Defender - Rule", "ESCU - Windows DLL Search Order Hijacking Hunt - Rule", "ESCU - Windows DLL Search Order Hijacking Hunt with Sysmon - Rule", "ESCU - Windows DLL Search Order Hijacking with iscsicpl - Rule", "ESCU - Windows Event For Service Disabled - Rule", "ESCU - Windows Excessive Disabled Services Event - Rule", "ESCU - Windows Hide Notification Features Through Registry - Rule", "ESCU - Windows Impair Defense Delete Win Defender Context Menu - Rule", "ESCU - Windows Impair Defense Delete Win Defender Profile Registry - Rule", "ESCU - Windows Impair Defenses Disable HVCI - Rule", "ESCU - Windows Impair Defenses Disable Win Defender Auto Logging - Rule", "ESCU - Windows Modify Show Compress Color And Info Tip Registry - Rule", "ESCU - Windows Parent PID Spoofing with Explorer - Rule", "ESCU - Windows PowerShell Disable HTTP Logging - Rule", "ESCU - Windows Process With NamedPipe CommandLine - Rule", "ESCU - Windows Rasautou DLL Execution - Rule", "ESCU - Windows UAC Bypass Suspicious Child Process - Rule", "ESCU - Windows UAC Bypass Suspicious Escalation Behavior - Rule", "ESCU - WSReset UAC Bypass - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Reg exe used to hide files directories via registry keys", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hidden Files and Directories"}]}}, {"name": "Remote Registry Key modifications", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "Add or Set Windows Defender Exclusion", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "CSC Net On The Fly Compilation", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Compile After Delivery"}, {"mitre_attack_technique": "Obfuscated Files or Information"}]}}, {"name": "Disable Registry Tool", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Disable Security Logs Using MiniNt Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Disable Show Hidden Files", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hidden Files and Directories"}, {"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Hide Artifacts"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Disable UAC Remote Restriction", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Windows SmartScreen Protection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disabling CMD Application", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Disabling ControlPanel", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Disabling Firewall with Netsh", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disabling FolderOptions Windows Feature", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disabling NoRun Windows App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Disabling Remote User Account Control", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Disabling SystemRestore In Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Disabling Task Manager", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Eventvwr UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Excessive number of service control start as disabled", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Firewall Allowed Program Enable", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify System Firewall"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "FodHelper UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}, {"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Hiding Files And Directories With Attrib exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "Windows File and Directory Permissions Modification"}]}}, {"name": "NET Profiler UAC bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Powershell Windows Defender Exclusion Commands", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Sdclt UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "SilentCleanup UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "SLUI RunAs Elevated", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "SLUI Spawning a Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Suspicious Reg exe Process", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "UAC Bypass MMC Load Unsigned Dll", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}, {"mitre_attack_technique": "MMC"}]}}, {"name": "Windows Alternate DataStream - Base64 Content", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hide Artifacts"}, {"mitre_attack_technique": "NTFS File Attributes"}]}}, {"name": "Windows Alternate DataStream - Executable Content", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hide Artifacts"}, {"mitre_attack_technique": "NTFS File Attributes"}]}}, {"name": "Windows Alternate DataStream - Process Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hide Artifacts"}, {"mitre_attack_technique": "NTFS File Attributes"}]}}, {"name": "Windows Command and Scripting Interpreter Hunting Path Traversal", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows Command and Scripting Interpreter Path Traversal Exec", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "System Network Connections Discovery"}, {"mitre_attack_technique": "System Owner/User Discovery"}, {"mitre_attack_technique": "System Shutdown/Reboot"}, {"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows Defender Exclusion Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Disable Change Password Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Disable Lock Workstation Feature Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Disable Notification Center", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Disable Windows Event Logging Disable HTTP Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable Windows Event Logging"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}}, {"name": "Windows Disable Windows Group Policy Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows DISM Remove Defender", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows DLL Search Order Hijacking Hunt", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Search Order Hijacking"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Windows DLL Search Order Hijacking Hunt with Sysmon", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Search Order Hijacking"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Windows DLL Search Order Hijacking with iscsicpl", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Search Order Hijacking"}]}}, {"name": "Windows Event For Service Disabled", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Excessive Disabled Services Event", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Hide Notification Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Impair Defense Delete Win Defender Context Menu", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Impair Defense Delete Win Defender Profile Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Impair Defenses Disable HVCI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Impair Defenses Disable Win Defender Auto Logging", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Modify Show Compress Color And Info Tip Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Parent PID Spoofing with Explorer", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Parent PID Spoofing"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}, {"name": "Windows PowerShell Disable HTTP Logging", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Disable Windows Event Logging"}, {"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "IIS Components"}]}}, {"name": "Windows Process With NamedPipe CommandLine", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "Windows Rasautou DLL Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Dynamic-link Library Injection"}, {"mitre_attack_technique": "System Binary Proxy Execution"}, {"mitre_attack_technique": "Process Injection"}]}}, {"name": "Windows UAC Bypass Suspicious Child Process", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}, {"mitre_attack_technique": "Bypass User Account Control"}]}}, {"name": "Windows UAC Bypass Suspicious Escalation Behavior", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}, {"mitre_attack_technique": "Bypass User Account Control"}]}}, {"name": "WSReset UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}]}, {"name": "Windows Discovery Techniques", "author": "Michael Hart, Splunk", "date": "2021-03-04", "version": 1, "id": "f7aba570-7d59-11eb-825e-acde48001122", "description": "Monitors for behaviors associated with adversaries discovering objects in the environment that can be leveraged in the progression of the attack.", "narrative": "Attackers may not have much if any insight into their target's environment before the initial compromise.  Once a foothold has been established, attackers will start enumerating objects in the environment (accounts, services, network shares, etc.) that can be used to achieve their objectives.  This Analytic Story provides searches to help identify activities consistent with adversaries gaining knowledge of compromised Windows environments.", "references": ["https://attack.mitre.org/tactics/TA0007/", "https://cyberd.us/penetration-testing", "https://attack.mitre.org/software/S0521/"], "tags": {"name": "Windows Discovery Techniques", "analytic_story": "Windows Discovery Techniques", "category": ["Adversary Tactics"], "product": ["Splunk Behavioral Analytics", "Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "FIN13", "TA505"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}], "mitre_attack_tactics": ["Discovery"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Net Localgroup Discovery - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Hart", "detections": [{"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}}]}, {"name": "Windows DNS SIGRed CVE-2020-1350", "author": "Shannon Davis, Splunk", "date": "2020-07-28", "version": 1, "id": "36dbb206-d073-11ea-87d0-0242ac130003", "description": "Uncover activity consistent with CVE-2020-1350, or SIGRed. Discovered by Checkpoint researchers, this vulnerability affects Windows 2003 to 2019, and is triggered by a malicious DNS response (only affects DNS over TCP). An attacker can use the malicious payload to cause a buffer overflow on the vulnerable system, leading to compromise.  The included searches in this Analytic Story are designed to identify the large response payload for SIG and KEY DNS records which can be used for the exploit.", "narrative": "When a client requests a DNS record for a particular domain, that request gets routed first through the client's locally configured DNS server, then to any DNS server(s) configured as forwarders, and then onto the target domain's own DNS server(s).  If a attacker wanted to, they could host a malicious DNS server that responds to the initial request with a specially crafted large response (~65KB).  This response would flow through to the client's local DNS server, which if not patched for CVE-2020-1350, would cause the buffer overflow. The detection searches in this Analytic Story use wire data to detect the malicious behavior. Searches for Splunk Stream and Zeek are included.  The Splunk Stream search correlates across stream:dns and stream:tcp, while the Zeek search correlates across bro:dns:json and bro:conn:json.  These correlations are required to pick up both the DNS record types (SIG and KEY) along with the payload size (>65KB).", "references": ["https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", "https://support.microsoft.com/en-au/help/4569509/windows-dns-server-remote-code-execution-vulnerability"], "tags": {"name": "Windows DNS SIGRed CVE-2020-1350", "analytic_story": "Windows DNS SIGRed CVE-2020-1350", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1203", "mitre_attack_technique": "Exploitation for Client Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT12", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT41", "Andariel", "Aoqin Dragon", "Axiom", "BITTER", "BRONZE BUTLER", "BlackTech", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Elderwood", "Ember Bear", "Higaisa", "Inception", "Lazarus Group", "Leviathan", "MuddyWater", "Mustang Panda", "Patchwork", "Sandworm Team", "Sidewinder", "TA459", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "admin@338"]}], "mitre_attack_tactics": ["Execution"], "datamodels": ["Network_Resolution", "Network_Traffic"], "kill_chain_phases": ["Installation"]}, "detection_names": ["ESCU - Detect Windows DNS SIGRed via Splunk Stream - Rule", "ESCU - Detect Windows DNS SIGRed via Zeek - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Shannon Davis", "detections": [{"name": "Detect Windows DNS SIGRed via Splunk Stream", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Client Execution"}]}}, {"name": "Detect Windows DNS SIGRed via Zeek", "source": "network", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Client Execution"}]}}]}, {"name": "Windows Drivers", "author": "Michael Haag, Splunk", "date": "2022-03-30", "version": 1, "id": "d0a9323f-9411-4da6-86b2-18c184d750c0", "description": "Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components.", "narrative": "A rootkit on Windows may sometimes be in the form of a Windows Driver. A driver typically has a file extension of .sys, however the internals of a sys file is similar to a Windows DLL. For Microsoft Windows to load a driver, a few requirements are needed. First, it must have a valid signature. Second, typically it should load from the windows\\system32\\drivers path. There are a few methods to investigate drivers in the environment. Drivers are noisy. An inventory of all drivers is important to understand prevalence. A driver location (Path) is also important when attempting to baseline. Looking at a driver name and path is not enough, we must also explore the signing information. Product, description, company name, signer and signing result are all items to take into account when reviewing drivers. What makes a driver malicious? Depending if a driver was dropped during a campaign or you are baselining drivers after, triaging a driver to determine maliciousness may be tough. We break this into two categories - 1. vulnerable drivers 2. driver rootkits. Attempt to identify prevelance of the driver. Is it on one or many? Review the signing information if it is present. Is it common? A lot of driver hunting will lead down rabbit holes, but we hope to help lead the way.", "references": ["https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/", "https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf", "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/"], "tags": {"name": "Windows Drivers", "analytic_story": "Windows Drivers", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1014", "mitre_attack_technique": "Rootkit", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT41", "Rocke", "TeamTNT", "Winnti Group"]}, {"mitre_attack_id": "T1553.004", "mitre_attack_technique": "Install Root Certificate", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1553", "mitre_attack_technique": "Subvert Trust Controls", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Axiom"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Windows Driver Inventory - Rule", "ESCU - Windows Driver Load Non-Standard Path - Rule", "ESCU - Windows Drivers Loaded by Signature - Rule", "ESCU - Windows Registry Certificate Added - Rule", "ESCU - Windows Registry Modification for Safe Mode Persistence - Rule", "ESCU - Windows Service Create Kernel Mode Driver - Rule", "ESCU - Windows System File on Disk - Rule", "ESCU - Windows Vulnerable Driver Loaded - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Windows Driver Inventory", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "Windows Driver Load Non-Standard Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rootkit"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "Windows Drivers Loaded by Signature", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rootkit"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "Windows Registry Certificate Added", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Install Root Certificate"}, {"mitre_attack_technique": "Subvert Trust Controls"}]}}, {"name": "Windows Registry Modification for Safe Mode Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Windows Service Create Kernel Mode Driver", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}, {"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "Windows System File on Disk", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "Windows Vulnerable Driver Loaded", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}]}}]}, {"name": "Windows Error Reporting Service Elevation of Privilege Vulnerability", "author": "Michael Haag, Splunk", "date": "2023-08-24", "version": 1, "id": "64dea1e5-2c60-461f-b886-05580ed89b5c", "description": "In July 2023, CrowdStrike's Falcon Complete managed detection and response (MDR) team uncovered an exploit kit using an unknown vulnerability in the Windows Error Reporting (WER) component. The vulnerability, now identified as CVE-2023-36874, was also independently discovered by Google's Threat Analysis Group. The exploit came to light when suspicious binaries were observed on a European technology system. CrowdStrike's Counter Adversary Operations' analysis revealed a zero-day exploit targeting the WER service, allowing attackers to execute unauthorized code with elevated privileges. The exploit kit seen aimed to spawn a privileged interpreter, displaying the versatility and adaptability of the threat. CrowdStrike has listed some potential indicators of compromise, but these are of low fidelity due to their mutable nature.", "narrative": "In June 2023, CrowdStrike's Falcon Complete team observed suspicious activities on a European technology entity's system. Multiple binaries were dropped onto the system via Remote Desktop Protocol (RDP), some of which were flagged as potential exploits for a known vulnerability. However, a string containing the Russian term for \"0day\" suggested an unknown vulnerability was at play. Subsequent investigations identified this as a zero-day vulnerability affecting the Windows Error Reporting (WER) component, now known as CVE-2023-36874. \\\nThe WER service's function is to report software issues on Windows hosts. The exploit centered around manipulating the WER service by redirecting file systems to execute attacker-controlled code with elevated privileges. This was achieved by creating a symbolic link redirection from the C:\\ drive to an attacker-controlled directory, and then triggering certain WER functions. Consequently, an unauthorized executable was run instead of the legitimate one, giving the attacker high-level access. \\\nThe observed exploit kit's primary objective was to initiate a privileged interpreter, such as cmd.exe or powershell_ise.exe. If this couldn't be achieved, a privileged scheduled task was created as an alternative. The exploit kit showcased a range of binaries, some packed and others not, some in C++ and others in pure C. This diversity suggests the knowledge of the vulnerability was likely shared among different developers. \\\nCrowdStrike's Counter Adversary Operations, as of now, hasn't linked this activity to any specific threat actor. They've provided potential indicators of compromise, but caution that these are easily changed, indicating the advanced capabilities of the adversaries.", "references": ["https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/"], "tags": {"name": "Windows Error Reporting Service Elevation of Privilege Vulnerability", "analytic_story": "Windows Error Reporting Service Elevation of Privilege Vulnerability", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1055", "mitre_attack_technique": "Process Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT32", "APT37", "APT41", "Cobalt Group", "Kimsuky", "PLATINUM", "Silence", "TA2541", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - System Processes Run From Unexpected Locations - Rule", "ESCU - Windows Process Injection Wermgr Child Process - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "System Processes Run From Unexpected Locations", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Windows Process Injection Wermgr Child Process", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Process Injection"}]}}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}]}, {"name": "Windows File Extension and Association Abuse", "author": "Rico Valdez, Splunk", "date": "2018-01-26", "version": 1, "id": "30552a76-ac78-48e4-b3c0-de4e34e9563d", "description": "Detect and investigate suspected abuse of file extensions and Windows file associations. Some of the malicious behaviors involved may include inserting spaces before file extensions or prepending the file extension with a different one, among other techniques.", "narrative": "Attackers use a variety of techniques to entice users to run malicious code or to persist on an endpoint. One way to accomplish these goals is to leverage file extensions and the mechanism Windows uses to associate files with specific applications. \\\n Since its earliest days, Windows has used extensions to identify file types. Users have become familiar with these extensions and their application associations. For example, if users see that a file ends in `.doc` or `.docx`, they will assume that it is a Microsoft Word document and expect that double-clicking will open it using `winword.exe`. The user will typically also presume that the `.docx` file is safe. \\\n Attackers take advantage of this expectation by obfuscating the true file extension. They can accomplish this in a couple of ways. One technique involves inserting multiple spaces in the file name before the extension to hide the extension from the GUI, obscuring the true nature of the file. Another approach involves prepending the real extension with a different one. This is especially effective when Windows is configured to \"hide extensions for known file types.\" In this case, the real extension is not displayed, but the prepended one is, leading end users to believe the file is a different type than it actually is.\\\nChanging the association between a file extension and an application can allow an attacker to execute arbitrary code. The technique typically involves changing the association for an often-launched file type to associate instead with a malicious program the attacker has dropped on the endpoint. When the end user launches a file that has been manipulated in this way, it will execute the attacker's malware. It will also execute the application the end user expected to run, cleverly obscuring the fact that something suspicious has occurred.\\\nRun the searches in this story to detect and investigate suspicious behavior that may indicate abuse or manipulation of Windows file extensions and/or associations.", "references": ["https://blog.malwarebytes.com/cybercrime/2013/12/file-extensions-2/", "https://attack.mitre.org/wiki/Technique/T1042"], "tags": {"name": "Windows File Extension and Association Abuse", "analytic_story": "Windows File Extension and Association Abuse", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036.003", "mitre_attack_technique": "Rename System Utilities", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT32", "GALLIUM", "Lazarus Group", "menuPass"]}, {"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}], "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Execution of File With Spaces Before Extension - Rule", "ESCU - Suspicious Changes to File Associations - Rule", "ESCU - Execution of File with Multiple Extensions - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Execution of File With Spaces Before Extension", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Rename System Utilities"}]}}, {"name": "Suspicious Changes to File Associations", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Change Default File Association"}]}}, {"name": "Execution of File with Multiple Extensions", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "Rename System Utilities"}]}}]}, {"name": "Windows Log Manipulation", "author": "Rico Valdez, Splunk", "date": "2017-09-12", "version": 2, "id": "b6db2c60-a281-48b4-95f1-2cd99ed56835", "description": "Adversaries often try to cover their tracks by manipulating Windows logs. Use these searches to help you monitor for suspicious activity surrounding log files--an essential component of an effective defense.", "narrative": "Because attackers often modify system logs to cover their tracks and/or to thwart the investigative process, log monitoring is an industry-recognized best practice. While there are legitimate reasons to manipulate system logs, it is still worthwhile to keep track of who manipulated the logs, when they manipulated them, and in what way they manipulated them (determining which accesses, tools, or utilities were employed). Even if no malicious activity is detected, the knowledge of an attempt to manipulate system logs may be indicative of a broader security risk that should be thoroughly investigated.\\\nThe Analytic Story gives users two different ways to detect manipulation of Windows Event Logs and one way to detect deletion of the Update Sequence Number (USN) Change Journal. The story helps determine the history of the host and the users who have accessed it. Finally, the story aides in investigation by retrieving all the information on the process that caused these events (if the process has been identified).", "references": ["https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", "https://zeltser.com/security-incident-log-review-checklist/", "http://journeyintoir.blogspot.com/2013/01/re-introducing-usnjrnl.html"], "tags": {"name": "Windows Log Manipulation", "analytic_story": "Windows Log Manipulation", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1070.001", "mitre_attack_technique": "Clear Windows Event Logs", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "APT38", "APT41", "Chimera", "Dragonfly", "FIN5", "FIN8", "Indrik Spider"]}], "mitre_attack_tactics": ["Defense Evasion", "Impact"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Exploitation"]}, "detection_names": ["ESCU - Deleting Shadow Copies - Rule", "ESCU - Suspicious Event Log Service Behavior - Rule", "ESCU - Suspicious wevtutil Usage - Rule", "ESCU - USN Journal Deletion - Rule", "ESCU - Windows Event Log Cleared - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "Deleting Shadow Copies", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Suspicious Event Log Service Behavior", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}}, {"name": "Suspicious wevtutil Usage", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Clear Windows Event Logs"}, {"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "USN Journal Deletion", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}]}}, {"name": "Windows Event Log Cleared", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Clear Windows Event Logs"}]}}]}, {"name": "Windows Persistence Techniques", "author": "Bhavin Patel, Splunk", "date": "2018-05-31", "version": 2, "id": "30874d4f-20a1-488f-85ec-5d52ef74e3f9", "description": "Monitor for activities and techniques associated with maintaining persistence on a Windows system--a sign that an adversary may have compromised your environment.", "narrative": "Maintaining persistence is one of the first steps taken by attackers after the initial compromise. Attackers leverage various custom and built-in tools to ensure survivability and persistent access within a compromised enterprise. This Analytic Story provides searches to help you identify various behaviors used by attackers to maintain persistent access to a Windows environment.", "references": ["http://www.fuzzysecurity.com/tutorials/19.html", "https://www.fireeye.com/blog/threat-research/2010/07/malware-persistence-windows-registry.html", "http://resources.infosecinstitute.com/common-malware-persistence-mechanisms/", "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", "https://www.youtube.com/watch?v=dq2Hv7J9fvk"], "tags": {"name": "Windows Persistence Techniques", "analytic_story": "Windows Persistence Techniques", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1564.001", "mitre_attack_technique": "Hidden Files and Directories", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "FIN13", "HAFNIUM", "Lazarus Group", "LuminousMoth", "Mustang Panda", "Rocke", "Transparent Tribe", "Tropic Trooper"]}, {"mitre_attack_id": "T1547.014", "mitre_attack_technique": "Active Setup", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1574.009", "mitre_attack_technique": "Path Interception by Unquoted Path", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1562.006", "mitre_attack_technique": "Indicator Blocking", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1222.001", "mitre_attack_technique": "Windows File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1037", "mitre_attack_technique": "Boot or Logon Initialization Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "Rocke"]}, {"mitre_attack_id": "T1037.001", "mitre_attack_technique": "Logon Script (Windows)", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "Cobalt Group"]}, {"mitre_attack_id": "T1547.010", "mitre_attack_technique": "Port Monitors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1547.012", "mitre_attack_technique": "Print Processors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1546.011", "mitre_attack_technique": "Application Shimming", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["FIN7"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1546.002", "mitre_attack_technique": "Screensaver", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1547.003", "mitre_attack_technique": "Time Providers", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1134.005", "mitre_attack_technique": "SID-History Injection", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1546.012", "mitre_attack_technique": "Image File Execution Options Injection", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["TEMP.Veles"]}, {"mitre_attack_id": "T1218.005", "mitre_attack_technique": "Mshta", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "APT32", "Confucius", "Earth Lusca", "FIN7", "Gamaredon Group", "Inception", "Kimsuky", "Lazarus Group", "LazyScripter", "MuddyWater", "Mustang Panda", "SideCopy", "Sidewinder", "TA2541", "TA551"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Reg exe used to hide files directories via registry keys - Rule", "ESCU - Remote Registry Key modifications - Rule", "ESCU - Active Setup Registry Autostart - Rule", "ESCU - Certutil exe certificate extraction - Rule", "ESCU - Change Default File Association - Rule", "ESCU - Detect Path Interception By Creation Of program exe - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Hiding Files And Directories With Attrib exe - Rule", "ESCU - Logon Script Event Trigger Execution - Rule", "ESCU - Monitor Registry Keys for Print Monitors - Rule", "ESCU - Print Processor Registry Autostart - Rule", "ESCU - Reg exe Manipulating Windows Services Registry Keys - Rule", "ESCU - Registry Keys for Creating SHIM Databases - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule", "ESCU - Schedule Task with HTTP Command Arguments - Rule", "ESCU - Schedule Task with Rundll32 Command Trigger - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - Schtasks used for forcing a reboot - Rule", "ESCU - Screensaver Event Trigger Execution - Rule", "ESCU - Shim Database File Creation - Rule", "ESCU - Shim Database Installation With Suspicious Parameters - Rule", "ESCU - Suspicious Scheduled Task from Public Directory - Rule", "ESCU - Time Provider Persistence Registry - Rule", "ESCU - Windows AD DSRM Account Changes - Rule", "ESCU - Windows AD Same Domain SID History Addition - Rule", "ESCU - Windows Event Triggered Image File Execution Options Injection - Rule", "ESCU - Windows Mshta Execution In Registry - Rule", "ESCU - Windows Registry Delete Task SD - Rule", "ESCU - Windows Scheduled Task Service Spawned Shell - Rule", "ESCU - Windows Schtasks Create Run As System - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "Bhavin Patel", "detections": [{"name": "Reg exe used to hide files directories via registry keys", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hidden Files and Directories"}]}}, {"name": "Remote Registry Key modifications", "source": "deprecated", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "Active Setup Registry Autostart", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Active Setup"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Certutil exe certificate extraction", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": []}}, {"name": "Change Default File Association", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Change Default File Association"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Detect Path Interception By Creation Of program exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Path Interception by Unquoted Path"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "ETW Registry Disabled", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Blocking"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Hiding Files And Directories With Attrib exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "Windows File and Directory Permissions Modification"}]}}, {"name": "Logon Script Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Boot or Logon Initialization Scripts"}, {"mitre_attack_technique": "Logon Script (Windows)"}]}}, {"name": "Monitor Registry Keys for Print Monitors", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Port Monitors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Print Processor Registry Autostart", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Reg exe Manipulating Windows Services Registry Keys", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Registry Keys for Creating SHIM Databases", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Application Shimming"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Schedule Task with HTTP Command Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Schedule Task with Rundll32 Command Trigger", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Schtasks used for forcing a reboot", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Screensaver Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Screensaver"}]}}, {"name": "Shim Database File Creation", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Application Shimming"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Shim Database Installation With Suspicious Parameters", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Application Shimming"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Suspicious Scheduled Task from Public Directory", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Time Provider Persistence Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Time Providers"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Windows AD DSRM Account Changes", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Windows AD Same Domain SID History Addition", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "SID-History Injection"}, {"mitre_attack_technique": "Access Token Manipulation"}]}}, {"name": "Windows Event Triggered Image File Execution Options Injection", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Image File Execution Options Injection"}]}}, {"name": "Windows Mshta Execution In Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Mshta"}]}}, {"name": "Windows Registry Delete Task SD", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Scheduled Task Service Spawned Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows Schtasks Create Run As System", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}]}}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}]}, {"name": "Windows Post-Exploitation", "author": "Teoderick Contreras, Splunk", "date": "2022-11-30", "version": 1, "id": "992899b7-a5cf-4bcd-bb0d-cf81762188ba", "description": "This analytic story identifies popular Windows post exploitation tools for example winpeas.bat, winpeas.exe, WinPrivCheck.bat and many more.", "narrative": "These tools allow operators to find possible exploits or paths for privilege escalation and persistence on a targeted host. Ransomware operator like the \"Prestige ransomware\" also used or abuses these post exploitation tools such as winPEAS to scan for possible avenue to gain privileges and persistence to a targeted Windows Operating System.", "references": ["https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"], "tags": {"name": "Windows Post-Exploitation", "analytic_story": "Windows Post-Exploitation", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Security Monitoring", "mitre_attack_enrichments": [{"mitre_attack_id": "T1070", "mitre_attack_technique": "Indicator Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1070.005", "mitre_attack_technique": "Network Share Connection Removal", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Threat Group-3390"]}, {"mitre_attack_id": "T1069", "mitre_attack_technique": "Permission Groups Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT3", "FIN13", "TA505"]}, {"mitre_attack_id": "T1069.002", "mitre_attack_technique": "Domain Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Dragonfly", "FIN7", "Inception", "Ke3chang", "LAPSUS$", "OilRig", "Turla", "Volt Typhoon"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1531", "mitre_attack_technique": "Account Access Removal", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1069.001", "mitre_attack_technique": "Local Groups", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["Chimera", "HEXANE", "OilRig", "Tonto Team", "Turla", "Volt Typhoon", "admin@338"]}, {"mitre_attack_id": "T1049", "mitre_attack_technique": "System Network Connections Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "APT38", "APT41", "Andariel", "BackdoorDiplomacy", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "HEXANE", "Ke3chang", "Lazarus Group", "Magic Hound", "MuddyWater", "Mustang Panda", "OilRig", "Poseidon Group", "Sandworm Team", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1016", "mitre_attack_technique": "System Network Configuration Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT19", "APT3", "APT32", "APT41", "Chimera", "Darkhotel", "Dragonfly", "Earth Lusca", "FIN13", "GALLIUM", "HAFNIUM", "HEXANE", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "SideCopy", "Sidewinder", "Stealth Falcon", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1016.001", "mitre_attack_technique": "Internet Connection Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT29", "FIN13", "FIN8", "Gamaredon Group", "HAFNIUM", "HEXANE", "Magic Hound", "TA2541", "Turla"]}, {"mitre_attack_id": "T1592", "mitre_attack_technique": "Gather Victim Host Information", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1003.005", "mitre_attack_technique": "Cached Domain Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "Leafminer", "MuddyWater", "OilRig"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1115", "mitre_attack_technique": "Clipboard Data", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT38", "APT39"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1529", "mitre_attack_technique": "System Shutdown/Reboot", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT37", "APT38", "Lazarus Group"]}, {"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1555", "mitre_attack_technique": "Credentials from Password Stores", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT33", "APT39", "Evilnum", "FIN6", "HEXANE", "Leafminer", "MuddyWater", "OilRig", "Stealth Falcon", "Volt Typhoon"]}, {"mitre_attack_id": "T1552.002", "mitre_attack_technique": "Credentials in Registry", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT32"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1202", "mitre_attack_technique": "Indirect Command Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Lazarus Group"]}, {"mitre_attack_id": "T1082", "mitre_attack_technique": "System Information Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT18", "APT19", "APT3", "APT32", "APT37", "APT38", "Aquatic Panda", "Blue Mockingbird", "Chimera", "Confucius", "Darkhotel", "FIN13", "FIN8", "Gamaredon Group", "HEXANE", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Magic Hound", "Moses Staff", "MuddyWater", "Mustang Panda", "OilRig", "Patchwork", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Sowbug", "Stealth Falcon", "TA2541", "TeamTNT", "Tropic Trooper", "Turla", "Volt Typhoon", "Windigo", "Windshift", "Wizard Spider", "ZIRCONIUM", "admin@338"]}, {"mitre_attack_id": "T1012", "mitre_attack_technique": "Query Registry", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT32", "APT39", "Chimera", "Dragonfly", "Fox Kitten", "Kimsuky", "Lazarus Group", "OilRig", "Stealth Falcon", "Threat Group-3390", "Turla", "Volt Typhoon", "ZIRCONIUM"]}, {"mitre_attack_id": "T1555.005", "mitre_attack_technique": "Password Managers", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Fox Kitten", "LAPSUS$", "Threat Group-3390"]}, {"mitre_attack_id": "T1552.004", "mitre_attack_technique": "Private Keys", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["Rocke", "TeamTNT"]}, {"mitre_attack_id": "T1547.005", "mitre_attack_technique": "Security Support Provider", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1047", "mitre_attack_technique": "Windows Management Instrumentation", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT29", "APT32", "APT41", "Blue Mockingbird", "Chimera", "Deep Panda", "Earth Lusca", "FIN13", "FIN6", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "Indrik Spider", "Lazarus Group", "Leviathan", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Sandworm Team", "Stealth Falcon", "TA2541", "Threat Group-3390", "Volt Typhoon", "Windshift", "Wizard Spider", "menuPass"]}], "mitre_attack_tactics": ["Collection", "Credential Access", "Defense Evasion", "Discovery", "Execution", "Impact", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - Create or delete windows shares using net exe - Rule", "ESCU - Domain Group Discovery With Net - Rule", "ESCU - Excessive Usage Of Cacls App - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Net Localgroup Discovery - Rule", "ESCU - Network Connection Discovery With Arp - Rule", "ESCU - Network Connection Discovery With Net - Rule", "ESCU - Network Connection Discovery With Netstat - Rule", "ESCU - Network Discovery Using Route Windows App - Rule", "ESCU - Recon AVProduct Through Pwh or WMI - Rule", "ESCU - Windows Cached Domain Credentials Reg Query - Rule", "ESCU - Windows ClipBoard Data via Get-ClipBoard - Rule", "ESCU - Windows Common Abused Cmd Shell Risk Behavior - Rule", "ESCU - Windows Credentials from Password Stores Query - Rule", "ESCU - Windows Credentials in Registry Reg Query - Rule", "ESCU - Windows Indirect Command Execution Via forfiles - Rule", "ESCU - Windows Indirect Command Execution Via Series Of Forfiles - Rule", "ESCU - Windows Information Discovery Fsutil - Rule", "ESCU - Windows Modify Registry Reg Restore - Rule", "ESCU - Windows Password Managers Discovery - Rule", "ESCU - Windows Post Exploitation Risk Behavior - Rule", "ESCU - Windows Private Keys Discovery - Rule", "ESCU - Windows Query Registry Reg Save - Rule", "ESCU - Windows Security Support Provider Reg Query - Rule", "ESCU - Windows Steal or Forge Kerberos Tickets Klist - Rule", "ESCU - Windows System Network Config Discovery Display DNS - Rule", "ESCU - Windows System Network Connections Discovery Netsh - Rule", "ESCU - Windows System User Discovery Via Quser - Rule", "ESCU - Windows WMI Process And Service List - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Create or delete windows shares using net exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Removal"}, {"mitre_attack_technique": "Network Share Connection Removal"}]}}, {"name": "Domain Group Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Domain Groups"}]}}, {"name": "Excessive Usage Of Cacls App", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Access Removal"}]}}, {"name": "Net Localgroup Discovery", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "Local Groups"}]}}, {"name": "Network Connection Discovery With Arp", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Network Connection Discovery With Net", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Network Connection Discovery With Netstat", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Network Discovery Using Route Windows App", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Internet Connection Discovery"}]}}, {"name": "Recon AVProduct Through Pwh or WMI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Gather Victim Host Information"}]}}, {"name": "Windows Cached Domain Credentials Reg Query", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Cached Domain Credentials"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Windows ClipBoard Data via Get-ClipBoard", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Clipboard Data"}]}}, {"name": "Windows Common Abused Cmd Shell Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}, {"mitre_attack_technique": "System Network Connections Discovery"}, {"mitre_attack_technique": "System Owner/User Discovery"}, {"mitre_attack_technique": "System Shutdown/Reboot"}, {"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "Windows Credentials from Password Stores Query", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials from Password Stores"}]}}, {"name": "Windows Credentials in Registry Reg Query", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials in Registry"}, {"mitre_attack_technique": "Unsecured Credentials"}]}}, {"name": "Windows Indirect Command Execution Via forfiles", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indirect Command Execution"}]}}, {"name": "Windows Indirect Command Execution Via Series Of Forfiles", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indirect Command Execution"}]}}, {"name": "Windows Information Discovery Fsutil", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Information Discovery"}]}}, {"name": "Windows Modify Registry Reg Restore", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows Password Managers Discovery", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Password Managers"}]}}, {"name": "Windows Post Exploitation Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}, {"mitre_attack_technique": "System Network Connections Discovery"}, {"mitre_attack_technique": "Permission Groups Discovery"}, {"mitre_attack_technique": "System Network Configuration Discovery"}, {"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "System Information Discovery"}, {"mitre_attack_technique": "Clipboard Data"}, {"mitre_attack_technique": "Unsecured Credentials"}]}}, {"name": "Windows Private Keys Discovery", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Private Keys"}, {"mitre_attack_technique": "Unsecured Credentials"}]}}, {"name": "Windows Query Registry Reg Save", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Query Registry"}]}}, {"name": "Windows Security Support Provider Reg Query", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Support Provider"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Windows Steal or Forge Kerberos Tickets Klist", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}]}}, {"name": "Windows System Network Config Discovery Display DNS", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Configuration Discovery"}]}}, {"name": "Windows System Network Connections Discovery Netsh", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Network Connections Discovery"}]}}, {"name": "Windows System User Discovery Via Quser", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Owner/User Discovery"}]}}, {"name": "Windows WMI Process And Service List", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Management Instrumentation"}]}}]}, {"name": "Windows Privilege Escalation", "author": "David Dorsey, Splunk", "date": "2020-02-04", "version": 2, "id": "644e22d3-598a-429c-a007-16fdb802cae5", "description": "Monitor for and investigate activities that may be associated with a Windows privilege-escalation attack, including unusual processes running on endpoints, modified registry keys, and more.", "narrative": "Privilege escalation is a \"land-and-expand\" technique, wherein an adversary gains an initial foothold on a host and then exploits its weaknesses to increase his privileges. The motivation is simple: certain actions on a Windows machine--such as installing software--may require higher-level privileges than those the attacker initially acquired. By increasing his privilege level, the attacker can gain the control required to carry out his malicious ends. This Analytic Story provides searches to detect and investigate behaviors that attackers may use to elevate their privileges in your environment.", "references": ["https://attack.mitre.org/tactics/TA0004/"], "tags": {"name": "Windows Privilege Escalation", "analytic_story": "Windows Privilege Escalation", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1204.002", "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT-C-36", "APT12", "APT19", "APT28", "APT29", "APT30", "APT32", "APT33", "APT37", "APT38", "APT39", "Ajax Security Team", "Andariel", "Aoqin Dragon", "BITTER", "BRONZE BUTLER", "BlackTech", "CURIUM", "Cobalt Group", "Confucius", "Dark Caracal", "DarkHydrus", "Darkhotel", "Dragonfly", "EXOTIC LILY", "Earth Lusca", "Elderwood", "Ember Bear", "FIN4", "FIN6", "FIN7", "FIN8", "Ferocious Kitten", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HEXANE", "Higaisa", "Inception", "IndigoZebra", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Machete", "Magic Hound", "Mofang", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "Nomadic Octopus", "OilRig", "PLATINUM", "PROMETHIUM", "Patchwork", "RTM", "Rancor", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA459", "TA505", "TA551", "The White Company", "Threat Group-3390", "Tonto Team", "Transparent Tribe", "Tropic Trooper", "WIRTE", "Whitefly", "Windshift", "Wizard Spider", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1547.014", "mitre_attack_technique": "Active Setup", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1068", "mitre_attack_technique": "Exploitation for Privilege Escalation", "mitre_attack_tactics": ["Privilege Escalation"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT33", "BITTER", "Cobalt Group", "FIN6", "FIN8", "LAPSUS$", "MoustachedBouncer", "PLATINUM", "Scattered Spider", "Threat Group-3390", "Tonto Team", "Turla", "Whitefly", "ZIRCONIUM"]}, {"mitre_attack_id": "T1562.006", "mitre_attack_technique": "Indicator Blocking", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1558", "mitre_attack_technique": "Steal or Forge Kerberos Tickets", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1558.003", "mitre_attack_technique": "Kerberoasting", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["FIN7", "Wizard Spider"]}, {"mitre_attack_id": "T1037", "mitre_attack_technique": "Boot or Logon Initialization Scripts", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "Rocke"]}, {"mitre_attack_id": "T1037.001", "mitre_attack_technique": "Logon Script (Windows)", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "Cobalt Group"]}, {"mitre_attack_id": "T1574.002", "mitre_attack_technique": "DLL Side-Loading", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT41", "BRONZE BUTLER", "BlackTech", "Chimera", "Earth Lusca", "FIN13", "GALLIUM", "Higaisa", "Lazarus Group", "LuminousMoth", "MuddyWater", "Mustang Panda", "Naikon", "Patchwork", "SideCopy", "Sidewinder", "Threat Group-3390", "Tropic Trooper", "menuPass"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1546.008", "mitre_attack_technique": "Accessibility Features", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT3", "APT41", "Axiom", "Deep Panda", "Fox Kitten"]}, {"mitre_attack_id": "T1547.012", "mitre_attack_technique": "Print Processors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1546.012", "mitre_attack_technique": "Image File Execution Options Injection", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["TEMP.Veles"]}, {"mitre_attack_id": "T1134", "mitre_attack_technique": "Access Token Manipulation", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["Blue Mockingbird", "FIN6"]}, {"mitre_attack_id": "T1134.001", "mitre_attack_technique": "Token Impersonation/Theft", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT28", "FIN8"]}, {"mitre_attack_id": "T1546.002", "mitre_attack_technique": "Screensaver", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1547.003", "mitre_attack_technique": "Time Providers", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Execution", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - Uncommon Processes On Endpoint - Rule", "ESCU - Active Setup Registry Autostart - Rule", "ESCU - Change Default File Association - Rule", "ESCU - Child Processes of Spoolsv exe - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Kerberoasting spn request with RC4 encryption - Rule", "ESCU - Logon Script Event Trigger Execution - Rule", "ESCU - MSI Module Loaded by Non-System Binary - Rule", "ESCU - Overwriting Accessibility Binaries - Rule", "ESCU - Print Processor Registry Autostart - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule", "ESCU - Runas Execution in CommandLine - Rule", "ESCU - Screensaver Event Trigger Execution - Rule", "ESCU - Time Provider Persistence Registry - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": [], "author_company": "Splunk", "author_name": "David Dorsey", "detections": [{"name": "Uncommon Processes On Endpoint", "source": "deprecated", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Malicious File"}]}}, {"name": "Active Setup Registry Autostart", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Active Setup"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Change Default File Association", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Change Default File Association"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Child Processes of Spoolsv exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploitation for Privilege Escalation"}]}}, {"name": "ETW Registry Disabled", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Blocking"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Kerberoasting spn request with RC4 encryption", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Steal or Forge Kerberos Tickets"}, {"mitre_attack_technique": "Kerberoasting"}]}}, {"name": "Logon Script Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Boot or Logon Initialization Scripts"}, {"mitre_attack_technique": "Logon Script (Windows)"}]}}, {"name": "MSI Module Loaded by Non-System Binary", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "DLL Side-Loading"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Overwriting Accessibility Binaries", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Accessibility Features"}]}}, {"name": "Print Processor Registry Autostart", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Print Processors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Registry Keys Used For Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Image File Execution Options Injection"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Runas Execution in CommandLine", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Access Token Manipulation"}, {"mitre_attack_technique": "Token Impersonation/Theft"}]}}, {"name": "Screensaver Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Screensaver"}]}}, {"name": "Time Provider Persistence Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Time Providers"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}]}, {"name": "Windows Registry Abuse", "author": "Teoderick Contreras, Splunk", "date": "2022-03-17", "version": 1, "id": "78df1df1-25f1-4387-90f9-c4ea31ce6b75", "description": "Windows services are often used by attackers for persistence, privilege escalation, lateral movement, defense evasion, collection of data, a tool for recon, credential dumping and payload impact. This Analytic Story helps you monitor your environment for indications that Windows registry are being modified or created in a suspicious manner.", "narrative": "Windows Registry is one of the powerful and yet still mysterious Windows features that can tweak or manipulate Windows policies and low-level configuration settings. Because of this capability,  most malware, adversaries or threat actors abuse this hierarchical database to do their malicious intent on a targeted host or network environment. In these cases, attackers often use tools to create or modify registry in ways that are not typical for most environments, providing opportunities for detection.", "references": ["https://attack.mitre.org/techniques/T1112/", "https://redcanary.com/blog/windows-registry-attacks-threat-detection/"], "tags": {"name": "Windows Registry Abuse", "analytic_story": "Windows Registry Abuse", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1021.001", "mitre_attack_technique": "Remote Desktop Protocol", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["APT1", "APT3", "APT39", "APT41", "Axiom", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "HEXANE", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "OilRig", "Patchwork", "Silence", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1021", "mitre_attack_technique": "Remote Services", "mitre_attack_tactics": ["Lateral Movement"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1548", "mitre_attack_technique": "Abuse Elevation Control Mechanism", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1003.002", "mitre_attack_technique": "Security Account Manager", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT29", "Dragonfly", "FIN13", "GALLIUM", "Ke3chang", "Threat Group-3390", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1552.002", "mitre_attack_technique": "Credentials in Registry", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT32"]}, {"mitre_attack_id": "T1552", "mitre_attack_technique": "Unsecured Credentials", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1546.001", "mitre_attack_technique": "Change Default File Association", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Kimsuky"]}, {"mitre_attack_id": "T1546", "mitre_attack_technique": "Event Triggered Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1564.001", "mitre_attack_technique": "Hidden Files and Directories", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "FIN13", "HAFNIUM", "Lazarus Group", "LuminousMoth", "Mustang Panda", "Rocke", "Transparent Tribe", "Tropic Trooper"]}, {"mitre_attack_id": "T1564", "mitre_attack_technique": "Hide Artifacts", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1548.002", "mitre_attack_technique": "Bypass User Account Control", "mitre_attack_tactics": ["Defense Evasion", "Privilege Escalation"], "mitre_attack_groups": ["APT29", "APT37", "BRONZE BUTLER", "Cobalt Group", "Earth Lusca", "Evilnum", "MuddyWater", "Patchwork", "Threat Group-3390"]}, {"mitre_attack_id": "T1490", "mitre_attack_technique": "Inhibit System Recovery", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Wizard Spider"]}, {"mitre_attack_id": "T1556", "mitre_attack_technique": "Modify Authentication Process", "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Persistence"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1562.006", "mitre_attack_technique": "Indicator Blocking", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1127", "mitre_attack_technique": "Trusted Developer Utilities Proxy Execution", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1491", "mitre_attack_technique": "Defacement", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1547.010", "mitre_attack_technique": "Port Monitors", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1547", "mitre_attack_technique": "Boot or Logon Autostart Execution", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1546.011", "mitre_attack_technique": "Application Shimming", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["FIN7"]}, {"mitre_attack_id": "T1547.001", "mitre_attack_technique": "Registry Run Keys / Startup Folder", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT18", "APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BRONZE BUTLER", "Cobalt Group", "Confucius", "Dark Caracal", "Darkhotel", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "Gamaredon Group", "Gorgon Group", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Putter Panda", "RTM", "Rocke", "Sidewinder", "Silence", "TA2541", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Turla", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1546.012", "mitre_attack_technique": "Image File Execution Options Injection", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["TEMP.Veles"]}, {"mitre_attack_id": "T1546.002", "mitre_attack_technique": "Screensaver", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1547.003", "mitre_attack_technique": "Time Providers", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1098", "mitre_attack_technique": "Account Manipulation", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT3", "APT41", "Dragonfly", "FIN13", "HAFNIUM", "Kimsuky", "Lazarus Group", "Magic Hound"]}, {"mitre_attack_id": "T1547.008", "mitre_attack_technique": "LSASS Driver", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1485", "mitre_attack_technique": "Data Destruction", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["APT38", "Gamaredon Group", "LAPSUS$", "Lazarus Group", "Sandworm Team"]}, {"mitre_attack_id": "T1553.004", "mitre_attack_technique": "Install Root Certificate", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1553", "mitre_attack_technique": "Subvert Trust Controls", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Axiom"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Credential Access", "Defense Evasion", "Execution", "Impact", "Lateral Movement", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint", "Risk"], "kill_chain_phases": ["Actions on Objectives", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Allow Inbound Traffic By Firewall Rule Registry - Rule", "ESCU - Allow Operation with Consent Admin - Rule", "ESCU - Attempted Credential Dump From Registry via Reg exe - Rule", "ESCU - Auto Admin Logon Registry Entry - Rule", "ESCU - Change Default File Association - Rule", "ESCU - Disable AMSI Through Registry - Rule", "ESCU - Disable Defender AntiVirus Registry - Rule", "ESCU - Disable Defender BlockAtFirstSeen Feature - Rule", "ESCU - Disable Defender Enhanced Notification - Rule", "ESCU - Disable Defender MpEngine Registry - Rule", "ESCU - Disable Defender Spynet Reporting - Rule", "ESCU - Disable Defender Submit Samples Consent Feature - Rule", "ESCU - Disable ETW Through Registry - Rule", "ESCU - Disable Registry Tool - Rule", "ESCU - Disable Security Logs Using MiniNt Registry - Rule", "ESCU - Disable Show Hidden Files - Rule", "ESCU - Disable UAC Remote Restriction - Rule", "ESCU - Disable Windows App Hotkeys - Rule", "ESCU - Disable Windows Behavior Monitoring - Rule", "ESCU - Disable Windows SmartScreen Protection - Rule", "ESCU - Disabling CMD Application - Rule", "ESCU - Disabling ControlPanel - Rule", "ESCU - Disabling Defender Services - Rule", "ESCU - Disabling FolderOptions Windows Feature - Rule", "ESCU - Disabling NoRun Windows App - Rule", "ESCU - Disabling Remote User Account Control - Rule", "ESCU - Disabling SystemRestore In Registry - Rule", "ESCU - Disabling Task Manager - Rule", "ESCU - Disabling Windows Local Security Authority Defences via Registry - Rule", "ESCU - Enable RDP In Other Port Number - Rule", "ESCU - Enable WDigest UseLogonCredential Registry - Rule", "ESCU - ETW Registry Disabled - Rule", "ESCU - Eventvwr UAC Bypass - Rule", "ESCU - Hide User Account From Sign-In Screen - Rule", "ESCU - Modification Of Wallpaper - Rule", "ESCU - Monitor Registry Keys for Print Monitors - Rule", "ESCU - Registry Keys for Creating SHIM Databases - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Registry Keys Used For Privilege Escalation - Rule", "ESCU - Remcos client registry install entry - Rule", "ESCU - Revil Registry Entry - Rule", "ESCU - Screensaver Event Trigger Execution - Rule", "ESCU - Sdclt UAC Bypass - Rule", "ESCU - SilentCleanup UAC Bypass - Rule", "ESCU - Time Provider Persistence Registry - Rule", "ESCU - Windows AD DSRM Account Changes - Rule", "ESCU - Windows Autostart Execution LSASS Driver Registry Modification - Rule", "ESCU - Windows Disable Lock Workstation Feature Through Registry - Rule", "ESCU - Windows Disable LogOff Button Through Registry - Rule", "ESCU - Windows Disable Memory Crash Dump - Rule", "ESCU - Windows Disable Notification Center - Rule", "ESCU - Windows Disable Shutdown Button Through Registry - Rule", "ESCU - Windows Disable Windows Group Policy Features Through Registry - Rule", "ESCU - Windows DisableAntiSpyware Registry - Rule", "ESCU - Windows Hide Notification Features Through Registry - Rule", "ESCU - Windows Impair Defense Delete Win Defender Context Menu - Rule", "ESCU - Windows Impair Defense Delete Win Defender Profile Registry - Rule", "ESCU - Windows Impair Defenses Disable HVCI - Rule", "ESCU - Windows Impair Defenses Disable Win Defender Auto Logging - Rule", "ESCU - Windows Modify Registry Risk Behavior - Rule", "ESCU - Windows Modify Show Compress Color And Info Tip Registry - Rule", "ESCU - Windows Registry Certificate Added - Rule", "ESCU - Windows Registry Delete Task SD - Rule", "ESCU - Windows Registry Modification for Safe Mode Persistence - Rule", "ESCU - Windows Service Creation Using Registry Entry - Rule", "ESCU - WSReset UAC Bypass - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Allow Inbound Traffic By Firewall Rule Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Desktop Protocol"}, {"mitre_attack_technique": "Remote Services"}]}}, {"name": "Allow Operation with Consent Admin", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Attempted Credential Dump From Registry via Reg exe", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Security Account Manager"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "Auto Admin Logon Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Credentials in Registry"}, {"mitre_attack_technique": "Unsecured Credentials"}]}}, {"name": "Change Default File Association", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Change Default File Association"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Disable AMSI Through Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender AntiVirus Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender BlockAtFirstSeen Feature", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender Enhanced Notification", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender MpEngine Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender Spynet Reporting", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Defender Submit Samples Consent Feature", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable ETW Through Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Registry Tool", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Disable Security Logs Using MiniNt Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Disable Show Hidden Files", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Hidden Files and Directories"}, {"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Hide Artifacts"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Disable UAC Remote Restriction", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Disable Windows App Hotkeys", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Disable Windows Behavior Monitoring", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disable Windows SmartScreen Protection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disabling CMD Application", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Disabling ControlPanel", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Disabling Defender Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disabling FolderOptions Windows Feature", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disabling NoRun Windows App", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Disabling Remote User Account Control", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Disabling SystemRestore In Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Inhibit System Recovery"}]}}, {"name": "Disabling Task Manager", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Disabling Windows Local Security Authority Defences via Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Authentication Process"}]}}, {"name": "Enable RDP In Other Port Number", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Remote Services"}]}}, {"name": "Enable WDigest UseLogonCredential Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}, {"mitre_attack_technique": "OS Credential Dumping"}]}}, {"name": "ETW Registry Disabled", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Indicator Blocking"}, {"mitre_attack_technique": "Trusted Developer Utilities Proxy Execution"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Eventvwr UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Hide User Account From Sign-In Screen", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Modification Of Wallpaper", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Defacement"}]}}, {"name": "Monitor Registry Keys for Print Monitors", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Port Monitors"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Registry Keys for Creating SHIM Databases", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Application Shimming"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Registry Keys Used For Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Registry Keys Used For Privilege Escalation", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Image File Execution Options Injection"}, {"mitre_attack_technique": "Event Triggered Execution"}]}}, {"name": "Remcos client registry install entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Revil Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Screensaver Event Trigger Execution", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Event Triggered Execution"}, {"mitre_attack_technique": "Screensaver"}]}}, {"name": "Sdclt UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "SilentCleanup UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}, {"name": "Time Provider Persistence Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Time Providers"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Windows AD DSRM Account Changes", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Manipulation"}]}}, {"name": "Windows Autostart Execution LSASS Driver Registry Modification", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "LSASS Driver"}]}}, {"name": "Windows Disable Lock Workstation Feature Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Disable LogOff Button Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Disable Memory Crash Dump", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Data Destruction"}]}}, {"name": "Windows Disable Notification Center", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Disable Shutdown Button Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Disable Windows Group Policy Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows DisableAntiSpyware Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Hide Notification Features Through Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Impair Defense Delete Win Defender Context Menu", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Impair Defense Delete Win Defender Profile Registry", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Impair Defenses Disable HVCI", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Impair Defenses Disable Win Defender Auto Logging", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Modify Registry Risk Behavior", "source": "endpoint", "type": "Correlation", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Modify Show Compress Color And Info Tip Registry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Windows Registry Certificate Added", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Install Root Certificate"}, {"mitre_attack_technique": "Subvert Trust Controls"}]}}, {"name": "Windows Registry Delete Task SD", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Windows Registry Modification for Safe Mode Persistence", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Registry Run Keys / Startup Folder"}, {"mitre_attack_technique": "Boot or Logon Autostart Execution"}]}}, {"name": "Windows Service Creation Using Registry Entry", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}]}}, {"name": "WSReset UAC Bypass", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Bypass User Account Control"}, {"mitre_attack_technique": "Abuse Elevation Control Mechanism"}]}}]}, {"name": "Windows Service Abuse", "author": "Rico Valdez, Splunk", "date": "2017-11-02", "version": 3, "id": "6dbd810e-f66d-414b-8dfc-e46de55cbfe2", "description": "Windows services are often used by attackers for persistence and the ability to load drivers or otherwise interact with the Windows kernel. This Analytic Story helps you monitor your environment for indications that Windows services are being modified or created in a suspicious manner.", "narrative": "The Windows operating system uses a services architecture to allow for running code in the background, similar to a UNIX daemon. Attackers will often leverage Windows services for persistence, hiding in plain sight, seeking the ability to run privileged code that can interact with the kernel. In many cases, attackers will create a new service to host their malicious code. Attackers have also been observed modifying unnecessary or unused services to point to their own code, as opposed to what was intended. In these cases, attackers often use tools to create or modify services in ways that are not typical for most environments, providing opportunities for detection.", "references": ["https://attack.mitre.org/wiki/Technique/T1050", "https://attack.mitre.org/wiki/Technique/T1031"], "tags": {"name": "Windows Service Abuse", "analytic_story": "Windows Service Abuse", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1569", "mitre_attack_technique": "System Services", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["TeamTNT"]}, {"mitre_attack_id": "T1569.002", "mitre_attack_technique": "Service Execution", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT32", "APT38", "APT39", "APT41", "Blue Mockingbird", "Chimera", "FIN6", "Ke3chang", "Silence", "Wizard Spider"]}, {"mitre_attack_id": "T1574.011", "mitre_attack_technique": "Services Registry Permissions Weakness", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1574", "mitre_attack_technique": "Hijack Execution Flow", "mitre_attack_tactics": ["Defense Evasion", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Defense Evasion", "Execution", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Exploitation", "Installation"]}, "detection_names": ["ESCU - First Time Seen Running Windows Service - Rule", "ESCU - Reg exe Manipulating Windows Services Registry Keys - Rule", "ESCU - Sc exe Manipulating Windows Services - Rule"], "investigation_names": ["ESCU - Get Notable History - Response Task", "ESCU - Get Parent Process Info - Response Task", "ESCU - Get Process Info - Response Task"], "baseline_names": ["ESCU - Previously Seen Running Windows Services - Initial", "ESCU - Previously Seen Running Windows Services - Update"], "author_company": "Splunk", "author_name": "Rico Valdez", "detections": [{"name": "First Time Seen Running Windows Service", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Services"}, {"mitre_attack_technique": "Service Execution"}]}}, {"name": "Reg exe Manipulating Windows Services Registry Keys", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Services Registry Permissions Weakness"}, {"mitre_attack_technique": "Hijack Execution Flow"}]}}, {"name": "Sc exe Manipulating Windows Services", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}]}, {"name": "Windows System Binary Proxy Execution MSIExec", "author": "Michael Haag, Splunk", "date": "2022-06-16", "version": 1, "id": "bea2e16b-4599-46ad-a95b-116078726c68", "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).", "narrative": "Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs. Since it may be signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the AlwaysInstallElevated policy is enabled.", "references": ["https://attack.mitre.org/techniques/T1218/007/"], "tags": {"name": "Windows System Binary Proxy Execution MSIExec", "analytic_story": "Windows System Binary Proxy Execution MSIExec", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1218.007", "mitre_attack_technique": "Msiexec", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Machete", "Molerats", "Rancor", "TA505", "ZIRCONIUM"]}], "mitre_attack_tactics": ["Defense Evasion"], "datamodels": ["Endpoint", "Network_Traffic"], "kill_chain_phases": ["Exploitation"]}, "detection_names": ["ESCU - Windows MSIExec DLLRegisterServer - Rule", "ESCU - Windows MSIExec Remote Download - Rule", "ESCU - Windows MSIExec Spawn Discovery Command - Rule", "ESCU - Windows MSIExec Unregister DLLRegisterServer - Rule", "ESCU - Windows MSIExec With Network Connections - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Windows MSIExec DLLRegisterServer", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Msiexec"}]}}, {"name": "Windows MSIExec Remote Download", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Msiexec"}]}}, {"name": "Windows MSIExec Spawn Discovery Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Msiexec"}]}}, {"name": "Windows MSIExec Unregister DLLRegisterServer", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Msiexec"}]}}, {"name": "Windows MSIExec With Network Connections", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Msiexec"}]}}]}, {"name": "WinRAR Spoofing Attack CVE-2023-38831", "author": "Michael Haag, Splunk", "date": "2023-08-29", "version": 1, "id": "9ba776f3-b8c5-4390-a312-6dab6c5561b9", "description": "Group-IB Threat Intelligence unit discovered a zero-day vulnerability, CVE-2023-38831, in WinRAR, a popular compression tool. Cybercriminals exploited this vulnerability to deliver various malware families, including DarkMe and GuLoader, by crafting ZIP archives with spoofed extensions, which were then distributed on trading forums. Once the malware was executed, it allowed cybercriminals to withdraw funds from brokers' accounts. RARLAB was immediately notified about the vulnerability and released a patch. Group-IB recommends users update WinRAR to the latest version, stay informed about cyber threats, be cautious with unknown attachments, enable 2FA, backup data, and follow the principle of least privilege.", "narrative": "Group-IB Threat Intelligence unit identified a critical zero-day vulnerability, CVE-2023-38831, in WinRAR, a widely used compression tool. This vulnerability was exploited by cybercriminals to craft ZIP archives containing malicious and non-malicious files, distributed on specialized trading forums. The exploit allowed them to spoof file extensions, hiding the launch of malicious scripts within an archive masquerading as a '.jpg', '.txt', or any other file format. When victims opened the specially crafted archive, it executed the malware, leading to unauthorized access to their broker accounts and enabling the cybercriminals to perform illicit financial transactions and withdraw funds. \\\nThe vulnerability was discovered while researching the spread of DarkMe malware, a VisualBasic spy Trojan attributed to the financially motivated group, Evilnum. The malware was distributed alongside other malware families, such as GuLoader and Remcos RAT, via malicious ZIP archives posted on popular trading forums or distributed via file-sharing services. Despite efforts by forum administrators to warn users and disable threat actors' accounts, the cybercriminals continued to spread the malicious files, compromising devices, and leading to financial losses. \\\nGroup-IB immediately notified RARLAB about the vulnerability, and they promptly responded by issuing a patch. The beta version of the patch was released on July 20, 2023, and the final updated version, WinRAR 6.23, was released on August 2, 2023. Group-IB recommends all users install the latest version of WinRAR to mitigate the risk of exploitation. \\\nIn conclusion, the exploitation of the CVE-2023-38831 vulnerability highlights the constant risks associated with software vulnerabilities and the importance of remaining vigilant, keeping systems updated, and following security guidelines to avoid falling victim to such attacks. Collaboration between security researchers and software developers is essential to quickly identify and fix vulnerabilities, making it harder for cybercriminals to exploit them.", "references": ["https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/", "https://nvd.nist.gov/vuln/detail/CVE-2023-38831"], "tags": {"name": "WinRAR Spoofing Attack CVE-2023-38831", "analytic_story": "WinRAR Spoofing Attack CVE-2023-38831", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}], "mitre_attack_tactics": ["Command And Control"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Command And Control"]}, "detection_names": ["ESCU - WinRAR Spawning Shell Application - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "WinRAR Spawning Shell Application", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}]}, {"name": "Winter Vivern", "author": "Teoderick Contreras, Splunk", "date": "2023-02-16", "version": 1, "id": "5ce5f311-b311-4568-90ca-0c36781d07a4", "description": "Utilize searches that enable you to detect and investigate unusual activities potentially related to the Winter Vivern malicious software. This includes examining multiple timeout executions, scheduled task creations, screenshots, and downloading files through PowerShell, among other indicators.", "narrative": "The Winter Vivern malware, identified by CERT UA, is designed to download and run multiple PowerShell scripts on targeted hosts. These scripts aim to gather a variety of files with specific extensions, including (.edb, .ems, .eme, .emz, .key, .pem, .ovpn, .bat, .cer, .p12, .cfg, .log, .txt, .pdf, .doc, .docx, .xls, .xlsx, and .rdg), primarily from desktop directories. In addition to this, the malware captures desktop screenshots and performs data exfiltration using HTTP. To maintain its presence on the targeted host, Winter Vivern also establishes a persistence mechanism, such as creating a scheduled task.", "references": ["https://cert.gov.ua/article/3761023"], "tags": {"name": "Winter Vivern", "analytic_story": "Winter Vivern", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT32", "APT37", "APT39", "Dragonfly", "FIN5", "FIN6", "FIN7", "Fox Kitten", "Ke3chang", "OilRig", "Stealth Falcon", "Whitefly", "Windigo"]}, {"mitre_attack_id": "T1059.001", "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT19", "APT28", "APT29", "APT3", "APT32", "APT33", "APT38", "APT39", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "CopyKittens", "DarkHydrus", "DarkVishnya", "Deep Panda", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "Inception", "Indrik Spider", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "Magic Hound", "Molerats", "MoustachedBouncer", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Poseidon Group", "Sandworm Team", "Sidewinder", "Silence", "Stealth Falcon", "TA2541", "TA459", "TA505", "TEMP.Veles", "TeamTNT", "Threat Group-3390", "Thrip", "Tonto Team", "Turla", "Volt Typhoon", "WIRTE", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1059.003", "mitre_attack_technique": "Windows Command Shell", "mitre_attack_tactics": ["Execution"], "mitre_attack_groups": ["APT1", "APT18", "APT28", "APT3", "APT32", "APT37", "APT38", "APT41", "Aquatic Panda", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Dark Caracal", "Darkhotel", "Dragonfly", "Ember Bear", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "Higaisa", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Machete", "Magic Hound", "Metador", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "Patchwork", "Rancor", "Silence", "Sowbug", "Suckfly", "TA505", "TA551", "TeamTNT", "Threat Group-1314", "Threat Group-3390", "Tropic Trooper", "Turla", "Volt Typhoon", "Wizard Spider", "ZIRCONIUM", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1087.001", "mitre_attack_technique": "Local Account", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT1", "APT3", "APT32", "Chimera", "Fox Kitten", "Ke3chang", "Moses Staff", "OilRig", "Poseidon Group", "Threat Group-3390", "Turla", "admin@338"]}, {"mitre_attack_id": "T1027", "mitre_attack_technique": "Obfuscated Files or Information", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT19", "APT28", "APT3", "APT32", "APT33", "APT37", "APT39", "APT41", "BITTER", "BackdoorDiplomacy", "BlackOasis", "Blue Mockingbird", "Dark Caracal", "Darkhotel", "Earth Lusca", "Elderwood", "Ember Bear", "Fox Kitten", "GALLIUM", "Gallmaker", "Gamaredon Group", "Group5", "Higaisa", "Inception", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "Magic Hound", "Metador", "Mofang", "Molerats", "Moses Staff", "Mustang Panda", "OilRig", "Putter Panda", "Rocke", "Sandworm Team", "Sidewinder", "TA2541", "TA505", "TeamTNT", "Threat Group-3390", "Transparent Tribe", "Tropic Trooper", "Whitefly", "Windshift", "menuPass"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT-C-36", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", "Dragonfly", "FIN10", "FIN13", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "HEXANE", "Higaisa", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", "Naikon", "OilRig", "Patchwork", "Rancor", "Silence", "Stealth Falcon", "TA2541", "TEMP.Veles", "Wizard Spider", "menuPass"]}, {"mitre_attack_id": "T1033", "mitre_attack_technique": "System Owner/User Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT37", "APT38", "APT39", "APT41", "Chimera", "Dragonfly", "Earth Lusca", "FIN10", "FIN7", "FIN8", "GALLIUM", "Gamaredon Group", "HAFNIUM", "HEXANE", "Ke3chang", "Lazarus Group", "LuminousMoth", "Magic Hound", "MuddyWater", "OilRig", "Patchwork", "Sandworm Team", "Sidewinder", "Stealth Falcon", "Threat Group-3390", "Tropic Trooper", "Volt Typhoon", "Windshift", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1041", "mitre_attack_technique": "Exfiltration Over C2 Channel", "mitre_attack_tactics": ["Exfiltration"], "mitre_attack_groups": ["APT3", "APT32", "APT39", "Chimera", "Confucius", "GALLIUM", "Gamaredon Group", "Higaisa", "Ke3chang", "Kimsuky", "Lazarus Group", "Leviathan", "LuminousMoth", "MuddyWater", "Sandworm Team", "Stealth Falcon", "Wizard Spider", "ZIRCONIUM"]}, {"mitre_attack_id": "T1113", "mitre_attack_technique": "Screen Capture", "mitre_attack_tactics": ["Collection"], "mitre_attack_groups": ["APT28", "APT39", "BRONZE BUTLER", "Dark Caracal", "Dragonfly", "FIN7", "GOLD SOUTHFIELD", "Gamaredon Group", "Group5", "Magic Hound", "MoustachedBouncer", "MuddyWater", "OilRig", "Silence"]}], "mitre_attack_tactics": ["Collection", "Command And Control", "Defense Evasion", "Discovery", "Execution", "Exfiltration", "Persistence", "Privilege Escalation"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Exploitation", "Installation"]}, "detection_names": ["ESCU - Any Powershell DownloadString - Rule", "ESCU - CMD Carry Out String Command Parameter - Rule", "ESCU - GetWmiObject User Account with PowerShell - Rule", "ESCU - GetWmiObject User Account with PowerShell Script Block - Rule", "ESCU - Powershell Fileless Script Contains Base64 Encoded Content - Rule", "ESCU - PowerShell Loading DotNET into Memory via Reflection - Rule", "ESCU - Schedule Task with HTTP Command Arguments - Rule", "ESCU - Scheduled Task Deleted Or Created via CMD - Rule", "ESCU - System User Discovery With Whoami - Rule", "ESCU - Windows Exfiltration Over C2 Via Invoke RestMethod - Rule", "ESCU - Windows Exfiltration Over C2 Via Powershell UploadString - Rule", "ESCU - Windows Scheduled Task Created Via XML - Rule", "ESCU - Windows Screen Capture Via Powershell - Rule", "ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", "ESCU - WinEvent Scheduled Task Created Within Public Path - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule", "ESCU - WinEvent Windows Task Scheduler Event Action Started - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Any Powershell DownloadString", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}, {"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "CMD Carry Out String Command Parameter", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Command Shell"}, {"mitre_attack_technique": "Command and Scripting Interpreter"}]}}, {"name": "GetWmiObject User Account with PowerShell", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}]}}, {"name": "GetWmiObject User Account with PowerShell Script Block", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}, {"mitre_attack_technique": "Local Account"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Powershell Fileless Script Contains Base64 Encoded Content", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "Obfuscated Files or Information"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "PowerShell Loading DotNET into Memory via Reflection", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Command and Scripting Interpreter"}, {"mitre_attack_technique": "PowerShell"}]}}, {"name": "Schedule Task with HTTP Command Arguments", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Scheduled Task Deleted Or Created via CMD", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "System User Discovery With Whoami", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "System Owner/User Discovery"}]}}, {"name": "Windows Exfiltration Over C2 Via Invoke RestMethod", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over C2 Channel"}]}}, {"name": "Windows Exfiltration Over C2 Via Powershell UploadString", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exfiltration Over C2 Channel"}]}}, {"name": "Windows Scheduled Task Created Via XML", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Windows Screen Capture Via Powershell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Screen Capture"}]}}, {"name": "WinEvent Scheduled Task Created to Spawn Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Scheduled Task Created Within Public Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}, {"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}, {"name": "WinEvent Windows Task Scheduler Event Action Started", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task"}]}}]}, {"name": "WS FTP Server Critical Vulnerabilities", "author": "Michael Haag, Splunk", "date": "2023-10-01", "version": 1, "id": "60466291-3ab4-452b-9c11-456aa2dc7293", "description": "A critical security advisory was released by Progress Software on September 27, 2023, concerning multiple vulnerabilities in WS_FTP Server, a widely-used secure file transfer solution. The two critical vulnerabilities are CVE-2023-40044, a .NET deserialization flaw, and CVE-2023-42657, a directory traversal vulnerability. Rapid7 has observed active exploitation of these vulnerabilities. Affected versions are prior to 8.7.4 and 8.8.2. Immediate action is advised - upgrade to WS_FTP Server version 8.8.2. For those unable to update, disabling the Ad Hoc Transfer module is suggested as a temporary measure. This comes in the wake of increased scrutiny following the Cl0p ransomware attack on MOVEit Transfer in May 2023.", "narrative": "Two critical vulnerabilities have been identified in WS_FTP Server, a widely-used secure file transfer solution. The first, CVE-2023-40044, is a .NET deserialization flaw that targets the Ad Hoc Transfer module of WS_FTP Server versions earlier than 8.7.4 and 8.8.2. This flaw allows an attacker to execute arbitrary commands on the server's operating system without needing authentication. The second vulnerability, CVE-2023-42657, is a directory traversal flaw that allows attackers to perform unauthorized file operations outside of their authorized WS_FTP folder. In severe cases, the attacker could escape the WS_FTP Server file structure and perform operations on the underlying operating system. Both vulnerabilities have been observed being exploited in the wild and immediate action for mitigation is strongly advised. Updating to WS_FTP Server version 8.8.2 is recommended. For those unable to update, disabling the Ad Hoc Transfer module is suggested as a temporary measure.", "references": ["https://www.assetnote.io/resources/research/rce-in-progress-ws-ftp-ad-hoc-via-iis-http-modules-cve-2023-40044", "https://community.progress.com/s/article/WS-FTP-Server-Critical-Vulnerability-September-2023", "https://www.cve.org/CVERecord?id=CVE-2023-40044", "https://www.rapid7.com/blog/post/2023/09/29/etr-critical-vulnerabilities-in-ws_ftp-server/", "https://www.splunk.com/en_us/blog/security/fantastic-iis-modules-and-how-to-find-them.html"], "tags": {"name": "WS FTP Server Critical Vulnerabilities", "analytic_story": "WS FTP Server Critical Vulnerabilities", "category": ["Adversary Tactics"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1505", "mitre_attack_technique": "Server Software Component", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1505.003", "mitre_attack_technique": "Web Shell", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["APT28", "APT29", "APT32", "APT38", "APT39", "BackdoorDiplomacy", "Deep Panda", "Dragonfly", "FIN13", "Fox Kitten", "GALLIUM", "HAFNIUM", "Kimsuky", "Leviathan", "Magic Hound", "Moses Staff", "OilRig", "Sandworm Team", "TEMP.Veles", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Volatile Cedar", "Volt Typhoon"]}, {"mitre_attack_id": "T1505.004", "mitre_attack_technique": "IIS Components", "mitre_attack_tactics": ["Persistence"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": ["Initial Access"], "mitre_attack_groups": ["APT28", "APT29", "APT39", "APT41", "Axiom", "BackdoorDiplomacy", "BlackTech", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "FIN13", "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", "HAFNIUM", "Ke3chang", "Kimsuky", "Magic Hound", "Moses Staff", "MuddyWater", "Rocke", "Threat Group-3390", "Volatile Cedar", "Volt Typhoon", "menuPass"]}], "mitre_attack_tactics": ["Initial Access", "Persistence"], "datamodels": ["Endpoint", "Web"], "kill_chain_phases": ["Delivery", "Installation"]}, "detection_names": ["ESCU - Detect Webshell Exploit Behavior - Rule", "ESCU - W3WP Spawning Shell - Rule", "ESCU - Windows IIS Components Get-WebGlobalModule Module Query - Rule", "ESCU - WS FTP Remote Code Execution - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Splunk", "author_name": "Michael Haag", "detections": [{"name": "Detect Webshell Exploit Behavior", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}, {"name": "W3WP Spawning Shell", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Server Software Component"}, {"mitre_attack_technique": "Web Shell"}]}}, {"name": "Windows IIS Components Get-WebGlobalModule Module Query", "source": "endpoint", "type": "Hunting", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "IIS Components"}, {"mitre_attack_technique": "Server Software Component"}]}}, {"name": "WS FTP Remote Code Execution", "source": "web", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Exploit Public-Facing Application"}]}}]}, {"name": "XMRig", "author": "Teoderick Contreras, Rod Soto Splunk", "date": "2021-05-07", "version": 1, "id": "06723e6a-6bd8-4817-ace2-5fb8a7b06628", "description": "Leverage searches that allow you to detect and investigate unusual activities that might relate to the xmrig monero, including looking for file writes associated with its payload, process command-line, defense evasion (killing services, deleting users, modifying files or folder permission, killing other malware or other coin miner) and hacking tools including Telegram as mean of Command And Control (C2) to download other files. Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems which may impact system and/or hosted service availability. One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive. (1) Servers and cloud-based (2) systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.", "narrative": "XMRig is a high performance, open source, cross platform RandomX, KawPow, CryptoNight and AstroBWT unified CPU/GPU miner. This monero is seen in the wild on May 2017.", "references": ["https://github.com/xmrig/xmrig", "https://www.getmonero.org/resources/user-guides/mine-to-pool.html", "https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/", "https://blog.checkpoint.com/2021/03/11/february-2021s-most-wanted-malware-trickbot-takes-over-following-emotet-shutdown/"], "tags": {"name": "XMRig", "analytic_story": "XMRig", "category": ["Malware"], "product": ["Splunk Enterprise", "Splunk Enterprise Security", "Splunk Cloud"], "usecase": "Advanced Threat Detection", "mitre_attack_enrichments": [{"mitre_attack_id": "T1036.005", "mitre_attack_technique": "Match Legitimate Name or Location", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT1", "APT28", "APT29", "APT32", "APT39", "APT41", "Aoqin Dragon", "BRONZE BUTLER", "BackdoorDiplomacy", "Blue Mockingbird", "Carbanak", "Chimera", "Darkhotel", "Earth Lusca", "FIN13", "FIN7", "Ferocious Kitten", "Fox Kitten", "Gamaredon Group", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LuminousMoth", "Machete", "Magic Hound", "MuddyWater", "Mustang Panda", "Naikon", "PROMETHIUM", "Patchwork", "Poseidon Group", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "Sowbug", "TA2541", "TEMP.Veles", "TeamTNT", "Transparent Tribe", "Tropic Trooper", "Volt Typhoon", "WIRTE", "Whitefly", "admin@338", "menuPass"]}, {"mitre_attack_id": "T1036", "mitre_attack_technique": "Masquerading", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT28", "APT32", "BRONZE BUTLER", "Dragonfly", "FIN13", "Kimsuky", "LazyScripter", "Nomadic Octopus", "OilRig", "PLATINUM", "TA551", "TeamTNT", "Windshift", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1003", "mitre_attack_technique": "OS Credential Dumping", "mitre_attack_tactics": ["Credential Access"], "mitre_attack_groups": ["APT28", "APT32", "APT39", "Axiom", "Leviathan", "Poseidon Group", "Sowbug", "Suckfly", "Tonto Team"]}, {"mitre_attack_id": "T1595", "mitre_attack_technique": "Active Scanning", "mitre_attack_tactics": ["Reconnaissance"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1531", "mitre_attack_technique": "Account Access Removal", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["LAPSUS$"]}, {"mitre_attack_id": "T1562.001", "mitre_attack_technique": "Disable or Modify Tools", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT29", "Aquatic Panda", "BRONZE BUTLER", "Ember Bear", "FIN6", "Gamaredon Group", "Gorgon Group", "Indrik Spider", "Kimsuky", "Lazarus Group", "Magic Hound", "MuddyWater", "Putter Panda", "Rocke", "TA2541", "TA505", "TeamTNT", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1562", "mitre_attack_technique": "Impair Defenses", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["Magic Hound"]}, {"mitre_attack_id": "T1112", "mitre_attack_technique": "Modify Registry", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["APT19", "APT32", "APT38", "APT41", "Blue Mockingbird", "Dragonfly", "Earth Lusca", "Ember Bear", "FIN8", "Gamaredon Group", "Gorgon Group", "Kimsuky", "LuminousMoth", "Magic Hound", "Patchwork", "Silence", "TA505", "Threat Group-3390", "Turla", "Wizard Spider"]}, {"mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": ["Command And Control"], "mitre_attack_groups": ["APT-C-36", "APT18", "APT28", "APT29", "APT3", "APT32", "APT33", "APT37", "APT38", "APT39", "APT41", "Ajax Security Team", "Andariel", "Aquatic Panda", "BITTER", "BRONZE BUTLER", "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", "Darkhotel", "Dragonfly", "Elderwood", "Ember Bear", "Evilnum", "FIN13", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", "IndigoZebra", "Indrik Spider", "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", "LuminousMoth", "Magic Hound", "Metador", "Molerats", "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", "PLATINUM", "Patchwork", "Rancor", "Rocke", "Sandworm Team", "SideCopy", "Sidewinder", "Silence", "TA2541", "TA505", "TA551", "TeamTNT", "Threat Group-3390", "Tonto Team", "Tropic Trooper", "Turla", "Volatile Cedar", "WIRTE", "Whitefly", "Windshift", "Winnti Group", "Wizard Spider", "ZIRCONIUM", "menuPass"]}, {"mitre_attack_id": "T1087", "mitre_attack_technique": "Account Discovery", "mitre_attack_tactics": ["Discovery"], "mitre_attack_groups": ["FIN13"]}, {"mitre_attack_id": "T1489", "mitre_attack_technique": "Service Stop", "mitre_attack_tactics": ["Impact"], "mitre_attack_groups": ["Indrik Spider", "LAPSUS$", "Lazarus Group", "Wizard Spider"]}, {"mitre_attack_id": "T1222", "mitre_attack_technique": "File and Directory Permissions Modification", "mitre_attack_tactics": ["Defense Evasion"], "mitre_attack_groups": ["no"]}, {"mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", "mitre_attack_tactics": ["Execution", "Persistence", "Privilege Escalation"], "mitre_attack_groups": ["Earth Lusca"]}, {"mitre_attack_id": "T1543.003", "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["APT19", "APT3", "APT32", "APT38", "APT41", "Blue Mockingbird", "Carbanak", "Cobalt Group", "DarkVishnya", "Earth Lusca", "FIN7", "Ke3chang", "Kimsuky", "Lazarus Group", "PROMETHIUM", "TeamTNT", "Threat Group-3390", "Tropic Trooper", "Wizard Spider"]}, {"mitre_attack_id": "T1543", "mitre_attack_technique": "Create or Modify System Process", "mitre_attack_tactics": ["Persistence", "Privilege Escalation"], "mitre_attack_groups": ["no"]}], "mitre_attack_tactics": ["Command And Control", "Credential Access", "Defense Evasion", "Discovery", "Execution", "Impact", "Persistence", "Privilege Escalation", "Reconnaissance"], "datamodels": ["Endpoint"], "kill_chain_phases": ["Actions on Objectives", "Command And Control", "Exploitation", "Installation", "Reconnaissance"]}, "detection_names": ["ESCU - Attacker Tools On Endpoint - Rule", "ESCU - Deleting Of Net Users - Rule", "ESCU - Disable Windows App Hotkeys - Rule", "ESCU - Disabling Net User Account - Rule", "ESCU - Download Files Using Telegram - Rule", "ESCU - Enumerate Users Local Group Using Telegram - Rule", "ESCU - Excessive Attempt To Disable Services - Rule", "ESCU - Excessive Service Stop Attempt - Rule", "ESCU - Excessive Usage Of Cacls App - Rule", "ESCU - Excessive Usage Of Net App - Rule", "ESCU - Excessive Usage Of Taskkill - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - Hide User Account From Sign-In Screen - Rule", "ESCU - Icacls Deny Command - Rule", "ESCU - ICACLS Grant Command - Rule", "ESCU - Modify ACL permission To Files Or Folder - Rule", "ESCU - Process Kill Base On File Path - Rule", "ESCU - Schtasks Run Task On Demand - Rule", "ESCU - Suspicious Driver Loaded Path - Rule", "ESCU - Suspicious Process File Path - Rule", "ESCU - XMRIG Driver Loaded - Rule"], "investigation_names": [], "baseline_names": [], "author_company": "Rod Soto Splunk", "author_name": "Teoderick Contreras", "detections": [{"name": "Attacker Tools On Endpoint", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Match Legitimate Name or Location"}, {"mitre_attack_technique": "Masquerading"}, {"mitre_attack_technique": "OS Credential Dumping"}, {"mitre_attack_technique": "Active Scanning"}]}}, {"name": "Deleting Of Net Users", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Access Removal"}]}}, {"name": "Disable Windows App Hotkeys", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}, {"mitre_attack_technique": "Modify Registry"}]}}, {"name": "Disabling Net User Account", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Access Removal"}]}}, {"name": "Download Files Using Telegram", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Ingress Tool Transfer"}]}}, {"name": "Enumerate Users Local Group Using Telegram", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Discovery"}]}}, {"name": "Excessive Attempt To Disable Services", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Excessive Service Stop Attempt", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Service Stop"}]}}, {"name": "Excessive Usage Of Cacls App", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "Excessive Usage Of Net App", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Account Access Removal"}]}}, {"name": "Excessive Usage Of Taskkill", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Executables Or Script Creation In Suspicious Path", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Masquerading"}]}}, {"name": "Hide User Account From Sign-In Screen", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Icacls Deny Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "ICACLS Grant Command", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "Modify ACL permission To Files Or Folder", "source": "endpoint", "type": "Anomaly", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "File and Directory Permissions Modification"}]}}, {"name": "Process Kill Base On File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Disable or Modify Tools"}, {"mitre_attack_technique": "Impair Defenses"}]}}, {"name": "Schtasks Run Task On Demand", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Scheduled Task/Job"}]}}, {"name": "Suspicious Driver Loaded Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "Suspicious Process File Path", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Create or Modify System Process"}]}}, {"name": "XMRIG Driver Loaded", "source": "endpoint", "type": "TTP", "tags": {"mitre_attack_enrichments": [{"mitre_attack_technique": "Windows Service"}, {"mitre_attack_technique": "Create or Modify System Process"}]}}]}]}
\ No newline at end of file
diff --git a/dist/api/version.json b/dist/api/version.json
index 0ed38366c0..9e2420877d 100644
--- a/dist/api/version.json
+++ b/dist/api/version.json
@@ -1 +1 @@
-{"version": {"name": "v4.19.0", "published_at": "2024-01-10T18:35:53Z"}}
\ No newline at end of file
+{"version": {"name": "v4.19.0", "published_at": "2024-01-10T18:40:46Z"}}
\ No newline at end of file
diff --git a/requirements.txt b/requirements.txt
index 02cc153709..16d22af12d 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -2,14 +2,14 @@ attackcti==0.3.9
 docker==6.1.3
 GitPython==3.1.37
 Jinja2==3.1.2
-jsonschema==4.19.1
+jsonschema==4.20.0
 mock==4.0.3
-psutil==5.9.5
+psutil==5.9.6
 pycvesearch==1.2
 pydantic==1.10.8
-pysigma==0.9.8
+pysigma==0.10.9
 pysigma-backend-splunk==1.0.2
-pytest==7.4.2
+pytest==7.4.3
 PyYAML>=5.4.1
 questionary==1.10.0
 requests==2.31.0