Merge pull request #3271 from splunk/major-updates

Multiple Rule Updates

.github/workflows/appinspect.yml

@@ -18,7 +18,7 @@ jobs:
 
       - name: Install Python Dependencies and ContentCTL and Atomic Red Team
         run: |
-          pip install contentctl==v5.0.0-alpha.2
+          pip install contentctl==v5.0.0-alpha.3
           git clone --depth=1 --single-branch --branch=master https://github.com/redcanaryco/atomic-red-team.git external_repos/atomic-red-team
           git clone --depth=1 --single-branch --branch=master https://github.com/mitre/cti external_repos/cti
       

.github/workflows/build.yml

@@ -19,7 +19,7 @@ jobs:
 
       - name: Install Python Dependencies and ContentCTL and Atomic Red Team
         run: |
-          pip install contentctl==v5.0.0-alpha.2
+          pip install contentctl==v5.0.0-alpha.3
           git clone --depth=1 --single-branch --branch=master https://github.com/redcanaryco/atomic-red-team.git external_repos/atomic-red-team
           git clone --depth=1 --single-branch --branch=master https://github.com/mitre/cti external_repos/cti
       

.github/workflows/unit-testing.yml

@@ -23,7 +23,7 @@ jobs:
         - name: Install Python Dependencies and ContentCTL
           run: |
             python -m pip install --upgrade pip
-            pip install contentctl==v5.0.0-alpha.2
+            pip install contentctl==v5.0.0-alpha.3
            
         # Running contentctl test with a few arguments, before running the command make sure you checkout into the current branch of the pull request. This step only performs unit testing on all the changes against the target-branch. In most cases this target branch will be develop
         # Make sure we check out the PR, even if it actually lives in a fork

detections/endpoint/account_discovery_with_net_app.yml → detections/deprecated/account_discovery_with_net_app.yml

@@ -1,18 +1,11 @@
 name: Account Discovery With Net App
 id: 339805ce-ac30-11eb-b87d-acde48001122
 version: 8
-date: '2024-11-13'
+date: '2025-01-13'
 author: Teoderick Contreras, Splunk, TheLawsOfChaos, Github Community
-status: production
+status: deprecated
 type: TTP
-description: The following analytic detects potential account discovery activities
-  using the 'net' command, commonly employed by malware like Trickbot for reconnaissance.
-  It leverages Endpoint Detection and Response (EDR) data, focusing on specific command-line
-  patterns and process relationships. This activity is significant as it often precedes
-  further malicious actions, such as lateral movement or privilege escalation. If
-  confirmed malicious, attackers could gain valuable information about user accounts,
-  enabling them to escalate privileges or move laterally within the network, posing
-  a significant security risk.
+description: The following analytic has been deprecated in favour of the more generic "45e52536-ae42-11eb-b5c6-acde48001122". The following analytic detects potential account discovery activities using the 'net' command, commonly employed by malware like Trickbot for reconnaissance. It leverages Endpoint Detection and Response (EDR) data, focusing on specific command-line patterns and process relationships. This activity is significant as it often precedes further malicious actions, such as lateral movement or privilege escalation. If confirmed malicious, attackers could gain valuable information about user accounts, enabling them to escalate privileges or move laterally within the network, posing a significant security risk.
 data_source:
 - Sysmon EventID 1
 - Windows Event Log Security 4688

detections/endpoint/attempted_credential_dump_from_registry_via_reg_exe.yml → detections/deprecated/attempted_credential_dump_from_registry_via_reg_exe.yml

@@ -1,11 +1,12 @@
 name: Attempted Credential Dump From Registry via Reg exe
 id: e9fb4a59-c5fb-440a-9f24-191fbc6b2911
 version: 12
-date: '2024-12-10'
+date: '2025-01-15'
 author: Patrick Bareiss, Splunk
-status: production
+status: deprecated
 type: TTP
-description: The following analytic detects the execution of reg.exe with parameters
+description: The following analytic has been deprecated in favour of "8bbb7d58-b360-11eb-ba21-acde48001122".
+  The following analytic detects the execution of reg.exe with parameters
   that export registry keys containing hashed credentials. It leverages data from
   Endpoint Detection and Response (EDR) agents, focusing on command-line executions
   involving reg.exe or cmd.exe with specific registry paths. This activity is significant

detections/endpoint/detect_critical_alerts_from_security_tools.yml → detections/deprecated/detect_critical_alerts_from_security_tools.yml

@@ -1,45 +1,17 @@
 name: Detect Critical Alerts from Security Tools
 id: 483e8a68-f2f7-45be-8fc9-bf725f0e22fd
 version: 2
-date: '2024-11-13'
+date: '2025-01-13'
 author: Gowthamaraj Rajendran, Patrick Bareiss, Bhavin Patel, Bryan Pluta, Splunk
-status: production
+status: deprecated
 type: TTP
 data_source:
 - Windows Defender Alerts
 - MS365 Defender Incident Alerts
-description: The following analytics is to detect high and critical alerts from endpoint
-  security tools such as Microsoft Defender, Carbon Black, and Crowdstrike. This query
-  aggregates and summarizes critical severity alerts from the Alerts data model, providing
-  details such as the alert signature, application, description, source, destination,
-  and timestamps, while applying custom filters and formatting for enhanced analysis
-  in a SIEM environment.This capability allows security teams to efficiently allocate
-  resources and maintain a strong security posture, while also supporting compliance
-  with regulatory requirements by providing a clear record of critical security events.
-  We tested these detections with logs from Microsoft Defender, however this detection
-  should work for any security alerts that are ingested into the alerts data model.
-  **Note** - We are dynamically creating the risk_score field based on the severity
-  of the alert in the SPL and that supersedes the risk score set in the detection.
-search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
-  as lastTime values(Alerts.description) as description values(Alerts.mitre_technique_id)
-  as annotations.mitre_attack.mitre_technique_id values(Alerts.severity) as severity
-  values(Alerts.type) as type values(Alerts.severity_id) as severity_id values(Alerts.signature)
-  as signature values(Alerts.signature_id) as signature_id values(Alerts.dest) as
-  dest from datamodel=Alerts where  Alerts.severity IN ("high","critical") by Alerts.src
-  Alerts.user Alerts.id Alerts.vendor sourcetype | `drop_dm_object_name("Alerts")`
-  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval
-  risk_score=case(severity="informational", 2, severity="low", 5, severity="medium",
-  10, severity="high", 50, severity="critical" , 100) | `detect_critical_alerts_from_security_tools_filter`'
-how_to_implement: In order to properly run this search, you to ingest alerts data
-  from other security products such as Crowdstrike, Microsoft Defender, or Carbon
-  Black using appropriate TAs for that technology. Once ingested, the fields should
-  be mapped to the Alerts data model. Make sure to apply transformation on the data
-  if necessary. The risk_score field is used to calculate the risk score for the alerts
-  and the mitre_technique_id field is used to map the alerts to the MITRE ATT&CK framework
-  is dynamically created by the detection when this is triggered. These fields need
-  not be set in the adaptive response actions.
-known_false_positives: False positives may vary by endpoint protection tool; monitor
-  and filter out the alerts that are not relevant to your environment.
+description: The following analytic has been deprecated in favour of specific and dedicated product analytics such as "Microsoft Defender ATP Alerts". The following analytic is to detect high and critical alerts from endpoint security tools such as Microsoft Defender, Carbon Black, and Crowdstrike. This query aggregates and summarizes critical severity alerts from the Alerts data model, providing details such as the alert signature, application, description, source, destination, and timestamps, while applying custom filters and formatting for enhanced analysis in a SIEM environment.This capability allows security teams to efficiently allocate resources and maintain a strong security posture, while also supporting compliance with regulatory requirements by providing a clear record of critical security events. We tested these detections with logs from Microsoft Defender, however this detection should work for any security alerts that are ingested into the alerts data model. **Note** - We are dynamically creating the risk_score field based on the severity of the alert in the SPL and that supersedes the risk score set in the detection.
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Alerts.description) as description values(Alerts.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id values(Alerts.severity) as severity values(Alerts.type) as type values(Alerts.severity_id) as severity_id values(Alerts.signature) as signature values(Alerts.signature_id) as signature_id values(Alerts.dest) as dest from datamodel=Alerts where  Alerts.severity IN ("high","critical") by Alerts.src Alerts.user Alerts.id Alerts.vendor sourcetype | `drop_dm_object_name("Alerts")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval risk_score=case(severity="informational", 2, severity="low", 5, severity="medium", 10, severity="high", 50, severity="critical" , 100) | `detect_critical_alerts_from_security_tools_filter`'
+how_to_implement: In order to properly run this search, you to ingest alerts data from other security products such as Crowdstrike, Microsoft Defender, or Carbon Black using appropriate TAs for that technology. Once ingested, the fields should be mapped to the Alerts data model. Make sure to apply transformation on the data if necessary. The risk_score field is used to calculate the risk score for the alerts and the mitre_technique_id field is used to map the alerts to the MITRE ATT&CK framework is dynamically created by the detection when this is triggered. These fields need not be set in the adaptive response actions.
+known_false_positives: False positives may vary by endpoint protection tool; monitor and filter out the alerts that are not relevant to your environment.
 references:
 - https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/accessing-microsoft-defender-for-cloud-alerts-in-splunk-using/ba-p/938228
 - https://docs.splunk.com/Documentation/CIM/5.3.2/User/Alerts

detections/endpoint/domain_account_discovery_with_net_app.yml → detections/deprecated/domain_account_discovery_with_net_app.yml

@@ -1,17 +1,11 @@
 name: Domain Account Discovery With Net App
 id: 98f6a534-04c2-11ec-96b2-acde48001122
 version: 5
-date: '2024-11-13'
+date: '2025-01-13'
 author: Teoderick Contreras, Mauricio Velazco, Splunk
-status: production
+status: deprecated
 type: TTP
-description: The following analytic detects the execution of `net.exe` or `net1.exe`
-  with command-line arguments used to query domain users. It leverages data from Endpoint
-  Detection and Response (EDR) agents, focusing on process names and command-line
-  executions. This activity is significant as it may indicate an attempt by adversaries
-  to enumerate domain users for situational awareness and Active Directory discovery.
-  If confirmed malicious, this behavior could allow attackers to map out user accounts,
-  potentially leading to further exploitation or lateral movement within the network.
+description: This following analytic has been deprecated in favour of the generic version "5d0d4830-0133-11ec-bae3-acde48001122". The following analytic detects the execution of `net.exe` or `net1.exe` with command-line arguments used to query domain users. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it may indicate an attempt by adversaries to enumerate domain users for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could allow attackers to map out user accounts, potentially leading to further exploitation or lateral movement within the network.
 data_source:
 - Sysmon EventID 1
 - Windows Event Log Security 4688

detections/endpoint/domain_group_discovery_with_net.yml → detections/deprecated/domain_group_discovery_with_net.yml

@@ -1,18 +1,11 @@
 name: Domain Group Discovery With Net
 id: f2f14ac7-fa81-471a-80d5-7eb65c3c7349
 version: 6
-date: '2024-12-16'
+date: '2025-01-13'
 author: Mauricio Velazco, Splunk
-status: production
+status: deprecated
 type: Hunting
-description: The following analytic identifies the execution of `net.exe` with command-line
-  arguments used to query domain groups, specifically `group /domain`. It leverages
-  data from Endpoint Detection and Response (EDR) agents, focusing on process names
-  and command-line arguments. This activity is significant as it indicates potential
-  reconnaissance efforts by adversaries to enumerate domain groups, which is a common
-  step in Active Directory Discovery. If confirmed malicious, this behavior could
-  allow attackers to gain insights into the domain structure, aiding in further attacks
-  such as privilege escalation or lateral movement.
+description: This search has been deprecated in favour of the more generic analytic "c5c8e0f3-147a-43da-bf04-4cfaec27dc44". The following analytic identifies the execution of `net.exe` with command-line arguments used to query domain groups, specifically `group /domain`. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant as it indicates potential reconnaissance efforts by adversaries to enumerate domain groups, which is a common step in Active Directory Discovery. If confirmed malicious, this behavior could allow attackers to gain insights into the domain structure, aiding in further attacks such as privilege escalation or lateral movement.
 data_source:
 - Sysmon EventID 1
 - Windows Event Log Security 4688

detections/endpoint/excel_spawning_powershell.yml → detections/deprecated/excel_spawning_powershell.yml

@@ -1,11 +1,12 @@
 name: Excel Spawning PowerShell
 id: 42d40a22-9be3-11eb-8f08-acde48001122
 version: 7
-date: '2024-12-10'
+date: '2025-01-13'
 author: Michael Haag, Splunk
-status: production
+status: deprecated
 type: TTP
-description: The following analytic detects Microsoft Excel spawning PowerShell, an
+description: The following analytic has been deprecated in favour of a more generic approach in "Windows Office Product Spawned Uncommon Process".
+  The following analytic detects Microsoft Excel spawning PowerShell, an
   uncommon and suspicious behavior. This detection leverages data from Endpoint Detection
   and Response (EDR) agents, focusing on process creation events where the parent
   process is "excel.exe" and the child process is PowerShell. This activity is significant

detections/endpoint/excel_spawning_windows_script_host.yml → detections/deprecated/excel_spawning_windows_script_host.yml

@@ -1,11 +1,12 @@
 name: Excel Spawning Windows Script Host
 id: 57fe880a-9be3-11eb-9bf3-acde48001122
-version: 7
-date: '2024-12-10'
+version: 8
+date: '2025-01-13'
 author: Michael Haag, Splunk
-status: production
+status: deprecated
 type: TTP
-description: The following analytic identifies instances where Microsoft Excel spawns
+description: The following analytic has been deprecated in favour of a more generic approach. 
+  The following analytic identifies instances where Microsoft Excel spawns
   Windows Script Host processes (`cscript.exe` or `wscript.exe`). This behavior is
   detected using Endpoint Detection and Response (EDR) telemetry, focusing on process
   creation events where the parent process is `excel.exe`. This activity is significant
@@ -83,7 +84,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon.log
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     sourcetype: XmlWinEventLog

detections/endpoint/net_localgroup_discovery.yml → detections/deprecated/net_localgroup_discovery.yml

@@ -1,17 +1,11 @@
 name: Net Localgroup Discovery
 id: 54f5201e-155b-11ec-a6e2-acde48001122
 version: 5
-date: '2024-12-10'
+date: '2025-01-13'
 author: Michael Haag, Splunk
-status: production
+status: deprecated
 type: Hunting
-description: The following analytic detects the execution of the `net localgroup`
-  command, which is used to enumerate local group memberships on a system. It leverages
-  data from Endpoint Detection and Response (EDR) agents, focusing on process execution
-  logs that include command-line details. This activity is significant because it
-  can indicate an attacker is gathering information about local group memberships,
-  potentially to identify privileged accounts. If confirmed malicious, this behavior
-  could lead to further privilege escalation or lateral movement within the network.
+description: This search has been deprecated in favour of the more generic analytic "c5c8e0f3-147a-43da-bf04-4cfaec27dc44". The following analytic detects the execution of the `net localgroup` command, which is used to enumerate local group memberships on a system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it can indicate an attacker is gathering information about local group memberships, potentially to identify privileged accounts. If confirmed malicious, this behavior could lead to further privilege escalation or lateral movement within the network.
 data_source:
 - Sysmon EventID 1
 - Windows Event Log Security 4688

detections/endpoint/office_application_spawn_regsvr32_process.yml → detections/deprecated/office_application_spawn_regsvr32_process.yml

@@ -1,11 +1,12 @@
 name: Office Application Spawn Regsvr32 process
 id: 2d9fc90c-f11f-11eb-9300-acde48001122
 version: 8
-date: '2024-12-10'
+date: '2025-01-13'
 author: Teoderick Contreras, Splunk
-status: production
+status: deprecated
 type: TTP
-description: The following analytic identifies instances where an Office application
+description: The following analytic has been deprecated in favour of a more generic approach in "Windows Office Product Spawned Uncommon Process".
+  The following analytic identifies instances where an Office application
   spawns a Regsvr32 process, which is often indicative of macro execution or malicious
   code. This detection leverages data from Endpoint Detection and Response (EDR) agents,
   focusing on process creation events where the parent process is a known Office application.

detections/endpoint/office_application_spawn_rundll32_process.yml → detections/deprecated/office_application_spawn_rundll32_process.yml

@@ -1,11 +1,12 @@
 name: Office Application Spawn rundll32 process
 id: 958751e4-9c5f-11eb-b103-acde48001122
 version: 8
-date: '2024-12-10'
+date: '2025-01-13'
 author: Teoderick Contreras, Splunk
-status: production
+status: deprecated
 type: TTP
-description: The following analytic identifies instances where an Office application
+description: The following analytic has been deprecated in favour of a more generic approach in "Windows Office Product Spawned Uncommon Process".
+  The following analytic identifies instances where an Office application
   spawns a rundll32 process, which is often indicative of macro execution or malicious
   code. This detection leverages data from Endpoint Detection and Response (EDR) agents,
   focusing on process creation events where the parent process is a known Office application.