From a8c3540aa8d060102091dd5975d72dc6cf5dfc73 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Wed, 8 Jan 2025 14:46:37 +0100 Subject: [PATCH 01/37] typo fixes and some logic update --- .../endpoint/linux_auditd_add_user_account.yml | 2 +- .../linux_auditd_add_user_account_type.yml | 2 +- .../linux_auditd_at_application_execution.yml | 2 +- .../linux_auditd_auditd_service_stop.yml | 4 ++-- .../linux_auditd_base64_decode_files.yml | 2 +- .../linux_auditd_change_file_owner_to_root.yml | 2 +- .../linux_auditd_clipboard_data_copy.yml | 2 +- .../linux_auditd_data_destruction_command.yml | 2 +- ...itd_data_transfer_size_limits_via_split.yml | 2 +- ..._transfer_size_limits_via_split_syscall.yml | 2 +- ...d_database_file_and_directory_discovery.yml | 2 +- .../linux_auditd_dd_file_overwrite.yml | 2 +- ...uditd_disable_or_modify_system_firewall.yml | 4 ++-- .../linux_auditd_doas_conf_file_creation.yml | 4 ++-- .../linux_auditd_doas_tool_execution.yml | 2 +- .../linux_auditd_edit_cron_table_parameter.yml | 2 +- ...nux_auditd_file_and_directory_discovery.yml | 2 +- ..._file_permission_modification_via_chmod.yml | 2 +- ...ile_permissions_modification_via_chattr.yml | 2 +- ...find_credentials_from_password_managers.yml | 2 +- ...d_find_credentials_from_password_stores.yml | 2 +- .../linux_auditd_find_private_keys.yml | 2 +- .../linux_auditd_find_ssh_private_keys.yml | 2 +- .../linux_auditd_hardware_addition_swapoff.yml | 2 +- ...d_hidden_files_and_directories_creation.yml | 2 +- ...sert_kernel_module_using_insmod_utility.yml | 2 +- ...ll_kernel_module_using_modprobe_utility.yml | 2 +- .../linux_auditd_kernel_module_enumeration.yml | 2 +- ...uditd_kernel_module_using_rmmod_utility.yml | 2 +- ...x_auditd_nopasswd_entry_in_sudoers_file.yml | 2 +- .../linux_auditd_osquery_service_stop.yml | 4 ++-- ...ess_or_modification_of_sshd_config_file.yml | 2 +- ...itd_possible_access_to_credential_files.yml | 2 +- ..._auditd_possible_access_to_sudoers_file.yml | 2 +- ..._cronjob_entry_on_existing_cronjob_file.yml | 4 ++-- ...nux_auditd_preload_hijack_library_calls.yml | 2 +- ..._auditd_preload_hijack_via_preload_file.yml | 4 ++-- .../linux_auditd_service_restarted.yml | 2 +- .../endpoint/linux_auditd_service_started.yml | 2 +- ...linux_auditd_setuid_using_chmod_utility.yml | 2 +- ...inux_auditd_setuid_using_setcap_utility.yml | 2 +- .../linux_auditd_shred_overwrite_command.yml | 2 +- .../endpoint/linux_auditd_stop_services.yml | 18 +++++++++--------- .../linux_auditd_sudo_or_su_execution.yml | 2 +- .../linux_auditd_sysmon_service_stop.yml | 4 ++-- ..._system_network_configuration_discovery.yml | 2 +- ...d_unix_shell_configuration_modification.yml | 4 ++-- ...linux_auditd_unload_module_via_modprobe.yml | 2 +- ...rtual_disk_file_and_directory_discovery.yml | 2 +- .../linux_auditd_whoami_user_discovery.yml | 2 +- ...shell_process___execution_policy_bypass.yml | 8 ++++---- .../print_spooler_failed_to_load_a_plug_in.yml | 2 +- ...installation_with_suspicious_parameters.yml | 6 +++--- ...ws_domain_admin_impersonation_indicator.yml | 2 +- ...s_service_creation_using_registry_entry.yml | 8 ++++---- playbooks/risk_notable_import_data.json | 2 +- playbooks/risk_notable_import_data.py | 2 +- 57 files changed, 81 insertions(+), 81 deletions(-) diff --git a/detections/endpoint/linux_auditd_add_user_account.yml b/detections/endpoint/linux_auditd_add_user_account.yml index 3fd4de81ce..aca8ced3d0 100644 --- a/detections/endpoint/linux_auditd_add_user_account.yml +++ b/detections/endpoint/linux_auditd_add_user_account.yml @@ -9,7 +9,7 @@ description: The following analytic detects the creation of new user accounts on data_source: - Linux Auditd Proctitle search: '`linux_auditd` `linux_auditd_normalized_proctitle_process`| rename host as dest | where LIKE (process_exec, "%useradd%") OR LIKE (process_exec, "%adduser%") | stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_add_user_account_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. references: - https://linuxize.com/post/how-to-create-users-in-linux-using-the-useradd-command/ diff --git a/detections/endpoint/linux_auditd_add_user_account_type.yml b/detections/endpoint/linux_auditd_add_user_account_type.yml index 19e183e33c..6080f61072 100644 --- a/detections/endpoint/linux_auditd_add_user_account_type.yml +++ b/detections/endpoint/linux_auditd_add_user_account_type.yml @@ -9,7 +9,7 @@ description: The following analytic detects the suspicious add user account type data_source: - Linux Auditd Add User search: '`linux_auditd` type=ADD_USER | rename hostname as dest| stats count min(_time) as firstTime max(_time) as lastTime by exe pid dest res UID type | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_add_user_account_type_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html diff --git a/detections/endpoint/linux_auditd_at_application_execution.yml b/detections/endpoint/linux_auditd_at_application_execution.yml index e142bdd4cf..63a79584b6 100644 --- a/detections/endpoint/linux_auditd_at_application_execution.yml +++ b/detections/endpoint/linux_auditd_at_application_execution.yml @@ -9,7 +9,7 @@ description: The following analytic detects the execution of the "At" applicatio data_source: - Linux Auditd Syscall search: '`linux_auditd` type=SYSCALL comm IN ("at", "atd") OR exe IN ("/usr/bin/at","/usr/bin/atd") AND NOT (UID IN("daemon")) | rename host as dest | stats count min(_time) as firstTime max(_time) as lastTime by comm exe SYSCALL UID ppid pid dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_at_application_execution_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: - https://attack.mitre.org/techniques/T1053/001/ diff --git a/detections/endpoint/linux_auditd_auditd_service_stop.yml b/detections/endpoint/linux_auditd_auditd_service_stop.yml index e90f3fec26..2f3a32c0b1 100644 --- a/detections/endpoint/linux_auditd_auditd_service_stop.yml +++ b/detections/endpoint/linux_auditd_auditd_service_stop.yml @@ -9,7 +9,7 @@ description: The following analytic detects the suspicious auditd service stop. data_source: - Linux Auditd Service Stop search: '`linux_auditd` type=SERVICE_STOP unit IN ("auditd") | rename host as dest | stats count min(_time) as firstTime max(_time) as lastTime by type pid UID comm exe unit dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_auditd_service_stop_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html @@ -31,7 +31,7 @@ tags: asset_type: Endpoint confidence: 50 impact: 50 - message: A service event - [$type$] event occured on host - [$dest$]. + message: A service event - [$type$] event occurred on host - [$dest$]. mitre_attack_id: - T1489 observable: diff --git a/detections/endpoint/linux_auditd_base64_decode_files.yml b/detections/endpoint/linux_auditd_base64_decode_files.yml index 907eb58b78..536a69b3b2 100644 --- a/detections/endpoint/linux_auditd_base64_decode_files.yml +++ b/detections/endpoint/linux_auditd_base64_decode_files.yml @@ -9,7 +9,7 @@ description: The following analytic detects suspicious Base64 decode operations data_source: - Linux Auditd Execve search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | where LIKE(process_exec, "%base64%") AND (LIKE(process_exec, "%-d %") OR LIKE(process_exec, "% --d%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_base64_decode_files_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html diff --git a/detections/endpoint/linux_auditd_change_file_owner_to_root.yml b/detections/endpoint/linux_auditd_change_file_owner_to_root.yml index 3c8eba210c..07c7501efb 100644 --- a/detections/endpoint/linux_auditd_change_file_owner_to_root.yml +++ b/detections/endpoint/linux_auditd_change_file_owner_to_root.yml @@ -9,7 +9,7 @@ description: The following analytic detects the use of the 'chown' command to ch data_source: - Linux Auditd Proctitle search: '`linux_auditd` `linux_auditd_normalized_proctitle_process`| rename host as dest | where LIKE (process_exec, "%chown %root%") | stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_change_file_owner_to_root_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. references: - https://unix.stackexchange.com/questions/101073/how-to-change-permissions-from-root-user-to-all-users diff --git a/detections/endpoint/linux_auditd_clipboard_data_copy.yml b/detections/endpoint/linux_auditd_clipboard_data_copy.yml index 8970534501..eea26987d2 100644 --- a/detections/endpoint/linux_auditd_clipboard_data_copy.yml +++ b/detections/endpoint/linux_auditd_clipboard_data_copy.yml @@ -9,7 +9,7 @@ description: The following analytic detects the use of the Linux 'xclip' command data_source: - Linux Auditd Execve search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | where LIKE(process_exec, "%xclip%") AND (LIKE(process_exec, "%clipboard%") OR LIKE(process_exec, "%-o%") OR LIKE(process_exec, "%clip %") OR LIKE(process_exec, "%-selection %") OR LIKE(process_exec, "%sel %")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_clipboard_data_copy_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: False positives may be present on Linux desktop as it may commonly be used by administrators or end users. Filter as needed. references: - https://attack.mitre.org/techniques/T1115/ diff --git a/detections/endpoint/linux_auditd_data_destruction_command.yml b/detections/endpoint/linux_auditd_data_destruction_command.yml index e67774b5c1..fb2cb5fa5a 100644 --- a/detections/endpoint/linux_auditd_data_destruction_command.yml +++ b/detections/endpoint/linux_auditd_data_destruction_command.yml @@ -9,7 +9,7 @@ description: The following analytic detects the execution of a Unix shell comman data_source: - Linux Auditd Execve search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | where LIKE (process_exec, "%rm %") AND LIKE (process_exec, "% -rf %") AND LIKE (process_exec, "%--no-preserve-root%") | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_data_destruction_command_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: unknown references: - https://cert.gov.ua/article/3718487 diff --git a/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml index 820564df65..ee0c06ce7d 100644 --- a/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml +++ b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml @@ -9,7 +9,7 @@ description: The following analytic detects suspicious data transfer activities data_source: - Linux Auditd Execve search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | where LIKE(process_exec, "%split %") AND LIKE(process_exec, "% -b %") | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_data_transfer_size_limits_via_split_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html diff --git a/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml index 9684772de3..b1edc0205e 100644 --- a/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml +++ b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml @@ -9,7 +9,7 @@ description: The following analytic detects suspicious data transfer activities data_source: - Linux Auditd Syscall search: '`linux_auditd` type=SYSCALL comm=split OR exe= "*/split" | rename host as dest | stats count min(_time) as firstTime max(_time) as lastTime by comm exe SYSCALL UID ppid pid success dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_data_transfer_size_limits_via_split_syscall_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html diff --git a/detections/endpoint/linux_auditd_database_file_and_directory_discovery.yml b/detections/endpoint/linux_auditd_database_file_and_directory_discovery.yml index da49b339d6..bcf7f46933 100644 --- a/detections/endpoint/linux_auditd_database_file_and_directory_discovery.yml +++ b/detections/endpoint/linux_auditd_database_file_and_directory_discovery.yml @@ -9,7 +9,7 @@ description: The following analytic detects suspicious database file and directo data_source: - Linux Auditd Execve search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | where (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%.db%") OR LIKE (process_exec, "%.sql%") OR LIKE (process_exec, "%.sqlite%") OR LIKE (process_exec, "%.mdb%")OR LIKE (process_exec, "%.accdb%")OR LIKE (process_exec, "%.mdf%")OR LIKE (process_exec, "%.ndf%")OR LIKE (process_exec, "%.ldf%")OR LIKE (process_exec, "%.frm%")OR LIKE (process_exec, "%.idb%")OR LIKE (process_exec, "%.myd%")OR LIKE (process_exec, "%.myi%")OR LIKE (process_exec, "%.dbf%")OR LIKE (process_exec, "%.db2%")OR LIKE (process_exec, "%.dbc%")OR LIKE (process_exec, "%.fpt%")OR LIKE (process_exec, "%.ora%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_database_file_and_directory_discovery_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html diff --git a/detections/endpoint/linux_auditd_dd_file_overwrite.yml b/detections/endpoint/linux_auditd_dd_file_overwrite.yml index 3a60721624..4ed51e4a3f 100644 --- a/detections/endpoint/linux_auditd_dd_file_overwrite.yml +++ b/detections/endpoint/linux_auditd_dd_file_overwrite.yml @@ -9,7 +9,7 @@ description: The following analytic detects the use of the 'dd' command to overw data_source: - Linux Auditd Proctitle search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host as dest | where LIKE(process_exec, "%dd %") AND LIKE(process_exec, "% of=%") | stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_dd_file_overwrite_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. references: - https://gtfobins.github.io/gtfobins/dd/ diff --git a/detections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml b/detections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml index 84510717a5..9a72aac6c5 100644 --- a/detections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml +++ b/detections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml @@ -9,7 +9,7 @@ description: The following analytic detects the suspicious disable or modify sys data_source: - Linux Auditd Service Stop search: '`linux_auditd` type=SERVICE_STOP unit IN ("firewalld", "ufw") | rename host as dest | stats count min(_time) as firstTime max(_time) as lastTime by type pid UID comm exe unit dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_disable_or_modify_system_firewall_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html @@ -31,7 +31,7 @@ tags: asset_type: Endpoint confidence: 80 impact: 80 - message: A service event - [$type$] to disable or modify system firewall occured on host - [$dest$] . + message: A service event - [$type$] to disable or modify system firewall occurred on host - [$dest$] . mitre_attack_id: - T1562.004 - T1562 diff --git a/detections/endpoint/linux_auditd_doas_conf_file_creation.yml b/detections/endpoint/linux_auditd_doas_conf_file_creation.yml index 50a5fde6ec..d8366159cb 100644 --- a/detections/endpoint/linux_auditd_doas_conf_file_creation.yml +++ b/detections/endpoint/linux_auditd_doas_conf_file_creation.yml @@ -9,7 +9,7 @@ description: The following analytic detects the creation of the doas.conf file o data_source: - Linux Auditd Path search: '`linux_auditd` type=PATH name ="/etc/doas.conf*" | rename host as dest | stats count min(_time) as firstTime max(_time) as lastTime by name nametype OGID type dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_doas_conf_file_creation_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. references: - https://wiki.gentoo.org/wiki/Doas @@ -31,7 +31,7 @@ tags: asset_type: Endpoint confidence: 80 impact: 80 - message: A [$type$] event occured on host - [$dest$] to create a doas.conf file. + message: A [$type$] event occurred on host - [$dest$] to create a doas.conf file. mitre_attack_id: - T1548.003 - T1548 diff --git a/detections/endpoint/linux_auditd_doas_tool_execution.yml b/detections/endpoint/linux_auditd_doas_tool_execution.yml index 934aa7c17d..72bec21b53 100644 --- a/detections/endpoint/linux_auditd_doas_tool_execution.yml +++ b/detections/endpoint/linux_auditd_doas_tool_execution.yml @@ -9,7 +9,7 @@ description: The following analytic detects the execution of the 'doas' tool on data_source: - Linux Auditd Syscall search: '`linux_auditd` type=SYSCALL comm=doas | rename host as dest | stats count min(_time) as firstTime max(_time) as lastTime by comm exe SYSCALL UID ppid pid success dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_doas_tool_execution_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. references: - https://wiki.gentoo.org/wiki/Doas diff --git a/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml b/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml index 07d145ef1b..3369a4c80b 100644 --- a/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml +++ b/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml @@ -9,7 +9,7 @@ description: The following analytic detects the suspicious editing of cron jobs data_source: - Linux Auditd Syscall search: '`linux_auditd` type=SYSCALL SYSCALL=rename (comm IN ("crontab") OR exe IN ("*/crontab")) success=yes AND NOT (UID IN("daemon")) | rename host as dest | stats count min(_time) as firstTime max(_time) as lastTime by comm exe SYSCALL UID ppid pid dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_edit_cron_table_parameter_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: - https://attack.mitre.org/techniques/T1053/003/ diff --git a/detections/endpoint/linux_auditd_file_and_directory_discovery.yml b/detections/endpoint/linux_auditd_file_and_directory_discovery.yml index 408246dd45..ec265f42cb 100644 --- a/detections/endpoint/linux_auditd_file_and_directory_discovery.yml +++ b/detections/endpoint/linux_auditd_file_and_directory_discovery.yml @@ -9,7 +9,7 @@ description: The following analytic detects suspicious file and directory discov data_source: - Linux Auditd Execve search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | where (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%.tif%") OR LIKE (process_exec, "%.tiff%") OR LIKE (process_exec, "%.gif%") OR LIKE (process_exec, "%.jpeg%")OR LIKE (process_exec, "%.jpg%")OR LIKE (process_exec, "%.jif%")OR LIKE (process_exec, "%.jfif%")OR LIKE (process_exec, "%.jp2%")OR LIKE (process_exec, "%.jpx%")OR LIKE (process_exec, "%.j2k%")OR LIKE (process_exec, "%.j2c%")OR LIKE (process_exec, "%.fpx%")OR LIKE (process_exec, "%.pcd%")OR LIKE (process_exec, "%.png%")OR LIKE (process_exec, "%.flv%") OR LIKE (process_exec, "%.pdf%")OR LIKE (process_exec, "%.mp4%")OR LIKE (process_exec, "%.mp3%")OR LIKE (process_exec, "%.gifv%")OR LIKE (process_exec, "%.avi%")OR LIKE (process_exec, "%.mov%")OR LIKE (process_exec, "%.mpeg%")OR LIKE (process_exec, "%.wav%")OR LIKE (process_exec, "%.doc%")OR LIKE (process_exec, "%.docx%")OR LIKE (process_exec, "%.xls%")OR LIKE (process_exec, "%.xlsx%")OR LIKE (process_exec, "%.svg%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_file_and_directory_discovery_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html diff --git a/detections/endpoint/linux_auditd_file_permission_modification_via_chmod.yml b/detections/endpoint/linux_auditd_file_permission_modification_via_chmod.yml index c0930c2ab8..eb428c3c0e 100644 --- a/detections/endpoint/linux_auditd_file_permission_modification_via_chmod.yml +++ b/detections/endpoint/linux_auditd_file_permission_modification_via_chmod.yml @@ -22,7 +22,7 @@ search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename hos max(_time) as lastTime by process_exec proctitle dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_file_permission_modification_via_chmod_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd - data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step diff --git a/detections/endpoint/linux_auditd_file_permissions_modification_via_chattr.yml b/detections/endpoint/linux_auditd_file_permissions_modification_via_chattr.yml index fbbd639de3..4c46e7a037 100644 --- a/detections/endpoint/linux_auditd_file_permissions_modification_via_chattr.yml +++ b/detections/endpoint/linux_auditd_file_permissions_modification_via_chattr.yml @@ -9,7 +9,7 @@ description: The following analytic detects suspicious file permissions modifica data_source: - Linux Auditd Execve search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host as dest | where LIKE(process_exec, "%chattr %") AND LIKE(process_exec, "% -i%") | stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_file_permissions_modification_via_chattr_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html diff --git a/detections/endpoint/linux_auditd_find_credentials_from_password_managers.yml b/detections/endpoint/linux_auditd_find_credentials_from_password_managers.yml index d4897a6360..edf1c9f44e 100644 --- a/detections/endpoint/linux_auditd_find_credentials_from_password_managers.yml +++ b/detections/endpoint/linux_auditd_find_credentials_from_password_managers.yml @@ -9,7 +9,7 @@ description: The following analytic detects suspicious attempts to find credenti data_source: - Linux Auditd Execve search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | where (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%.kdbx%") OR LIKE (process_exec, "%KeePass%") OR LIKE (process_exec, "%KeePass\.enforced%") OR LIKE (process_exec, "%.lpdb%")OR LIKE (process_exec, "%.opvault%")OR LIKE (process_exec, "%.agilekeychain%")OR LIKE (process_exec, "%.dashlane%")OR LIKE (process_exec, "%.rfx%")OR LIKE (process_exec, "%passbolt%")OR LIKE (process_exec, "%.spdb%")OR LIKE (process_exec, "%StickyPassword%")OR LIKE (process_exec, "%.walletx%")OR LIKE (process_exec, "%enpass%")OR LIKE (process_exec, "%vault%")OR LIKE (process_exec, "%.kdb%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_find_credentials_from_password_managers_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html diff --git a/detections/endpoint/linux_auditd_find_credentials_from_password_stores.yml b/detections/endpoint/linux_auditd_find_credentials_from_password_stores.yml index 9adac7eebd..602f0ad3b5 100644 --- a/detections/endpoint/linux_auditd_find_credentials_from_password_stores.yml +++ b/detections/endpoint/linux_auditd_find_credentials_from_password_stores.yml @@ -9,7 +9,7 @@ description: The following analytic detects suspicious attempts to find credenti data_source: - Linux Auditd Execve search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | where (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%password%") OR LIKE (process_exec, "%pass %") OR LIKE (process_exec, "%credential%")OR LIKE (process_exec, "%creds%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_find_credentials_from_password_stores_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html diff --git a/detections/endpoint/linux_auditd_find_private_keys.yml b/detections/endpoint/linux_auditd_find_private_keys.yml index 713ccc03a2..36f223e8d0 100644 --- a/detections/endpoint/linux_auditd_find_private_keys.yml +++ b/detections/endpoint/linux_auditd_find_private_keys.yml @@ -9,7 +9,7 @@ description: The following analytic detects suspicious attempts to find private data_source: - Linux Auditd Execve search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | where (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%.pem%") OR LIKE (process_exec, "%.cer%") OR LIKE (process_exec, "%.crt%") OR LIKE (process_exec, "%.pgp%") OR LIKE (process_exec, "%.key%") OR LIKE (process_exec, "%.gpg%")OR LIKE (process_exec, "%.ppk%") OR LIKE (process_exec, "%.p12%")OR LIKE (process_exec, "%.pfx%")OR LIKE (process_exec, "%.p7b%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_find_private_keys_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html diff --git a/detections/endpoint/linux_auditd_find_ssh_private_keys.yml b/detections/endpoint/linux_auditd_find_ssh_private_keys.yml index 03daf2d62b..9435ba0ee7 100644 --- a/detections/endpoint/linux_auditd_find_ssh_private_keys.yml +++ b/detections/endpoint/linux_auditd_find_ssh_private_keys.yml @@ -9,7 +9,7 @@ description: The following analytic detects suspicious attempts to find SSH priv data_source: - Linux Auditd Execve search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | where (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%id_rsa%") OR LIKE (process_exec, "%id_dsa%")OR LIKE (process_exec, "%.key%") OR LIKE (process_exec, "%ssh_key%")OR LIKE (process_exec, "%authorized_keys%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_find_ssh_private_keys_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html diff --git a/detections/endpoint/linux_auditd_hardware_addition_swapoff.yml b/detections/endpoint/linux_auditd_hardware_addition_swapoff.yml index b6b196b857..d44992d250 100644 --- a/detections/endpoint/linux_auditd_hardware_addition_swapoff.yml +++ b/detections/endpoint/linux_auditd_hardware_addition_swapoff.yml @@ -9,7 +9,7 @@ description: The following analytic detects the execution of the "swapoff" comma data_source: - Linux Auditd Execve search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host as dest | where LIKE(process_exec, "%swapoff %") AND LIKE(process_exec, "% -a%") | stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_hardware_addition_swapoff_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: administrator may disable swapping of devices in a linux host. Filter is needed. references: - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/ diff --git a/detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml b/detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml index f4b313e1ab..1b748cba78 100644 --- a/detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml +++ b/detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml @@ -9,7 +9,7 @@ description: The following analytic detects suspicious creation of hidden files data_source: - Linux Auditd Execve search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | where (LIKE (process_exec,"%touch %") OR LIKE (process_exec,"%mkdir %")OR LIKE (process_exec,"%vim %") OR LIKE (process_exec,"%vi %") OR LIKE (process_exec,"%nano %")) AND (LIKE (process_exec,"% ./.%") OR LIKE (process_exec," .%")OR LIKE (process_exec," /.%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_hidden_files_and_directories_creation_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html diff --git a/detections/endpoint/linux_auditd_insert_kernel_module_using_insmod_utility.yml b/detections/endpoint/linux_auditd_insert_kernel_module_using_insmod_utility.yml index c2c9ccc05c..eec408eae0 100644 --- a/detections/endpoint/linux_auditd_insert_kernel_module_using_insmod_utility.yml +++ b/detections/endpoint/linux_auditd_insert_kernel_module_using_insmod_utility.yml @@ -19,7 +19,7 @@ search: '`linux_auditd` type=SYSCALL comm=insmod | rename host as dest | stats c success dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_insert_kernel_module_using_insmod_utility_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd - data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step diff --git a/detections/endpoint/linux_auditd_install_kernel_module_using_modprobe_utility.yml b/detections/endpoint/linux_auditd_install_kernel_module_using_modprobe_utility.yml index 9751b854ce..7bd5b274f9 100644 --- a/detections/endpoint/linux_auditd_install_kernel_module_using_modprobe_utility.yml +++ b/detections/endpoint/linux_auditd_install_kernel_module_using_modprobe_utility.yml @@ -9,7 +9,7 @@ description: The following analytic detects the installation of a Linux kernel m data_source: - Linux Auditd Syscall search: '`linux_auditd` type=SYSCALL comm=modprobe | rename host as dest | stats count min(_time) as firstTime max(_time) as lastTime by comm exe SYSCALL UID ppid pid success dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_install_kernel_module_using_modprobe_utility_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. references: - https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/kernel-module-driver-configuration/Working_with_Kernel_Modules/ diff --git a/detections/endpoint/linux_auditd_kernel_module_enumeration.yml b/detections/endpoint/linux_auditd_kernel_module_enumeration.yml index c65b5ad0ef..43c97d4a6f 100644 --- a/detections/endpoint/linux_auditd_kernel_module_enumeration.yml +++ b/detections/endpoint/linux_auditd_kernel_module_enumeration.yml @@ -19,7 +19,7 @@ search: '`linux_auditd` type=SYSCALL comm=lsmod | rename host as dest | stats c success dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `linux_auditd_kernel_module_enumeration_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd - data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step diff --git a/detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml b/detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml index 6c4145b1ef..f401ae1c76 100644 --- a/detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml +++ b/detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml @@ -9,7 +9,7 @@ description: The following analytic detects suspicious use of the `rmmod` utilit data_source: - Linux Auditd Syscall search: '`linux_auditd` type=SYSCALL comm=rmmod | rename host as dest | stats count min(_time) as firstTime max(_time) as lastTime by comm exe SYSCALL UID ppid pid success dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_kernel_module_using_rmmod_utility_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html diff --git a/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml b/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml index 37a7748495..b018346985 100644 --- a/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml +++ b/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml @@ -9,7 +9,7 @@ description: The following analytic detects the addition of NOPASSWD entries to data_source: - Linux Auditd Proctitle search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host as dest | where LIKE (process_exec, "%NOPASSWD%") | stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_nopasswd_entry_in_sudoers_file_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. references: - https://askubuntu.com/questions/334318/sudoers-file-enable-nopasswd-for-user-all-commands diff --git a/detections/endpoint/linux_auditd_osquery_service_stop.yml b/detections/endpoint/linux_auditd_osquery_service_stop.yml index f8218b50a6..5ef5f252b7 100644 --- a/detections/endpoint/linux_auditd_osquery_service_stop.yml +++ b/detections/endpoint/linux_auditd_osquery_service_stop.yml @@ -9,7 +9,7 @@ description: The following analytic detects suspicious stopping of the `osquery` data_source: - Linux Auditd Service Stop search: '`linux_auditd` type=SERVICE_STOP unit IN ("osqueryd") | rename host as dest | stats count min(_time) as firstTime max(_time) as lastTime by type pid UID comm exe unit dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_osquery_service_stop_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html @@ -31,7 +31,7 @@ tags: asset_type: Endpoint confidence: 80 impact: 80 - message: A service event - [$type$] event occured on host - [$dest$] to stop the osquery service. + message: A service event - [$type$] event occurred on host - [$dest$] to stop the osquery service. mitre_attack_id: - T1489 observable: diff --git a/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml b/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml index 5b1bb8f93a..1e6024027c 100644 --- a/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml +++ b/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml @@ -9,7 +9,7 @@ description: The following analytic detects suspicious access or modification of data_source: - Linux Auditd Path search: '`linux_auditd` type=PATH name="/etc/ssh/ssh_config*" | rename host as dest | stats count min(_time) as firstTime max(_time) as lastTime by name nametype OGID type dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_possible_access_or_modification_of_sshd_config_file_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives. references: - https://www.hackingarticles.in/ssh-penetration-testing-port-22/ diff --git a/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml b/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml index 7a393d7dc3..3a4a2cfde7 100644 --- a/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml +++ b/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml @@ -9,7 +9,7 @@ description: The following analytic detects attempts to access or dump the conte data_source: - Linux Auditd Proctitle search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host as dest | where (LIKE (process_exec, "%shadow%") OR LIKE (process_exec, "%passwd%")) AND (LIKE (process_exec, "%cat %") OR LIKE (process_exec, "%nano %")OR LIKE (process_exec, "%vim %") OR LIKE (process_exec, "%vi %")) | stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_possible_access_to_credential_files_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. references: - https://askubuntu.com/questions/445361/what-is-difference-between-etc-shadow-and-etc-passwd diff --git a/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml b/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml index 19ab4be8f0..6dfa906169 100644 --- a/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml +++ b/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml @@ -9,7 +9,7 @@ description: The following analytic detects potential access or modification of data_source: - Linux Auditd Path search: '`linux_auditd` type=PATH name="/etc/sudoers*" | rename host as dest | stats count min(_time) as firstTime max(_time) as lastTime by name nametype OGID type dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_possible_access_to_sudoers_file_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: administrator or network operator can execute this command. Please update the filter macros to remove false positives. references: - https://attack.mitre.org/techniques/T1548/003/ diff --git a/detections/endpoint/linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file.yml b/detections/endpoint/linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file.yml index 93646f121e..82bb125034 100644 --- a/detections/endpoint/linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file.yml +++ b/detections/endpoint/linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file.yml @@ -19,7 +19,7 @@ search: '`linux_auditd` type=PATH name IN("*/etc/cron*", "*/var/spool/cron/*", " by name nametype OGID dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd - data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step @@ -45,7 +45,7 @@ tags: asset_type: Endpoint confidence: 70 impact: 70 - message: A [$type$] event has occured on host - [$dest$] to append a cronjob entry + message: A [$type$] event has occurred on host - [$dest$] to append a cronjob entry on an existing cronjob file. mitre_attack_id: - T1053.003 diff --git a/detections/endpoint/linux_auditd_preload_hijack_library_calls.yml b/detections/endpoint/linux_auditd_preload_hijack_library_calls.yml index b0b87780b3..9f9601d818 100644 --- a/detections/endpoint/linux_auditd_preload_hijack_library_calls.yml +++ b/detections/endpoint/linux_auditd_preload_hijack_library_calls.yml @@ -9,7 +9,7 @@ description: The following analytic detects the use of the LD_PRELOAD environmen data_source: - Linux Auditd Execve search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | where LIKE (process_exec, "%LD_PRELOAD%")| stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_preload_hijack_library_calls_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. references: - https://compilepeace.medium.com/memory-malware-part-0x2-writing-userland-rootkits-via-ld-preload-30121c8343d5 diff --git a/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml b/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml index ed9d9ff948..0392e6f344 100644 --- a/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml +++ b/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml @@ -9,7 +9,7 @@ description: The following analytic detects suspicious preload hijacking via the data_source: - Linux Auditd Path search: '`linux_auditd` type=PATH name="/etc/ld.so.preload*" | rename host as dest | stats count min(_time) as firstTime max(_time) as lastTime by name nametype OGID type dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_preload_hijack_via_preload_file_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html @@ -31,7 +31,7 @@ tags: asset_type: Endpoint confidence: 90 impact: 90 - message: A [$type$] event has occured on host - [$dest$] to modify the preload file. + message: A [$type$] event has occurred on host - [$dest$] to modify the preload file. mitre_attack_id: - T1574.006 - T1574 diff --git a/detections/endpoint/linux_auditd_service_restarted.yml b/detections/endpoint/linux_auditd_service_restarted.yml index 87bbb2e1ec..827bb36175 100644 --- a/detections/endpoint/linux_auditd_service_restarted.yml +++ b/detections/endpoint/linux_auditd_service_restarted.yml @@ -9,7 +9,7 @@ description: The following analytic detects the restarting or re-enabling of ser data_source: - Linux Auditd Proctitle search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host as dest | where (LIKE(process_exec, "%systemctl %") OR LIKE(process_exec, "%service %") ) AND(LIKE(process_exec, "%restart%") OR LIKE(process_exec, "%reenable%") OR LIKE(process_exec, "%reload%")) | stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_service_restarted_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives. references: - https://attack.mitre.org/techniques/T1543/003/ diff --git a/detections/endpoint/linux_auditd_service_started.yml b/detections/endpoint/linux_auditd_service_started.yml index 127d703220..09f64c1243 100644 --- a/detections/endpoint/linux_auditd_service_started.yml +++ b/detections/endpoint/linux_auditd_service_started.yml @@ -9,7 +9,7 @@ description: The following analytic detects the suspicious service started. This data_source: - Linux Auditd Proctitle search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host as dest | where (LIKE(process_exec, "%systemctl %") OR LIKE(process_exec, "%service %") ) AND(LIKE(process_exec, "% start %") OR LIKE(process_exec, "% enable %")) | stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_service_started_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html diff --git a/detections/endpoint/linux_auditd_setuid_using_chmod_utility.yml b/detections/endpoint/linux_auditd_setuid_using_chmod_utility.yml index c8ade3e08d..bf1be4bd81 100644 --- a/detections/endpoint/linux_auditd_setuid_using_chmod_utility.yml +++ b/detections/endpoint/linux_auditd_setuid_using_chmod_utility.yml @@ -9,7 +9,7 @@ description: The following analytic detects the execution of the chmod utility t data_source: - Linux Auditd Proctitle search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host as dest | where LIKE (process_exec, "%chmod %") AND (LIKE (process_exec, "% u+s %") OR LIKE (process_exec, "% g+s %") OR LIKE (process_exec, "% 4777 %") OR LIKE (process_exec, "% 4577 %")) | stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_setuid_using_chmod_utility_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. references: - https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/ diff --git a/detections/endpoint/linux_auditd_setuid_using_setcap_utility.yml b/detections/endpoint/linux_auditd_setuid_using_setcap_utility.yml index dab576f585..7eba7152fe 100644 --- a/detections/endpoint/linux_auditd_setuid_using_setcap_utility.yml +++ b/detections/endpoint/linux_auditd_setuid_using_setcap_utility.yml @@ -9,7 +9,7 @@ description: The following analytic detects the execution of the 'setcap' utilit data_source: - Linux Auditd Execve search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | where LIKE (process_exec, "%setcap %") AND (LIKE (process_exec, "% cap_setuid+ep %") OR LIKE (process_exec, "% cap_setuid=ep %") OR LIKE (process_exec, "% cap_net_bind_service+p %") OR LIKE (process_exec, "% cap_net_raw+ep %") OR LIKE (process_exec, "% cap_dac_read_search+ep %")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_setuid_using_setcap_utility_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. references: - https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/ diff --git a/detections/endpoint/linux_auditd_shred_overwrite_command.yml b/detections/endpoint/linux_auditd_shred_overwrite_command.yml index 21220aebad..20e89b1760 100644 --- a/detections/endpoint/linux_auditd_shred_overwrite_command.yml +++ b/detections/endpoint/linux_auditd_shred_overwrite_command.yml @@ -9,7 +9,7 @@ description: The following analytic detects the execution of the 'shred' command data_source: - Linux Auditd Proctitle search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host as dest | where LIKE (process_exec, "%shred%") AND (LIKE (process_exec, "%-n%") OR LIKE (process_exec, "%-z%") OR LIKE (process_exec, "%-u%") OR LIKE (process_exec, "%-s%")) | stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_shred_overwrite_command_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: - https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ diff --git a/detections/endpoint/linux_auditd_stop_services.yml b/detections/endpoint/linux_auditd_stop_services.yml index 745186a07a..702f5b4a55 100644 --- a/detections/endpoint/linux_auditd_stop_services.yml +++ b/detections/endpoint/linux_auditd_stop_services.yml @@ -1,15 +1,15 @@ name: Linux Auditd Stop Services id: 43bc9281-753b-4743-b4b7-60af84f085f3 -version: 2 -date: '2024-09-30' +version: 3 +date: '2024-12-16' author: Teoderick Contreras, Splunk status: production -type: TTP -description: The following analytic detects attempts to stop or clear a service on Linux systems. It leverages data from Linux Auditd, focusing on processes like "systemctl," "service," and "svcadm" executing stop commands. This activity is significant as adversaries often terminate security or critical services to disable defenses or disrupt operations, as seen in malware like Industroyer2. If confirmed malicious, this could lead to the disabling of security mechanisms, allowing attackers to persist, escalate privileges, or deploy destructive payloads, severely impacting system integrity and availability. +type: Hunting +description: The following analytic detects attempts to stop a service on Linux systems. It leverages data from Linux Auditd. This activity is significant as adversaries often stop or terminate security or critical services to disable defenses or disrupt operations, as seen in malware like Industroyer2. If confirmed malicious, this could lead to the disabling of security mechanisms, allowing attackers to persist, escalate privileges, or deploy destructive payloads, severely impacting system integrity and availability. data_source: - Linux Auditd Service Stop search: '`linux_auditd` type=SERVICE_STOP | rename host as dest | stats count min(_time) as firstTime max(_time) as lastTime by type pid UID comm exe dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_stop_services_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: - https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ @@ -30,9 +30,9 @@ tags: - AwfulShred - Compromised Linux Host asset_type: Endpoint - confidence: 70 - impact: 70 - message: A service event - [$type$] event occured on host - [$dest$] to stop or disable a service. + confidence: 30 + impact: 30 + message: A service event - [$type$] event occurred on host - [$dest$] to stop or disable a service. mitre_attack_id: - T1489 observable: @@ -51,7 +51,7 @@ tags: - UID - comm - exe - risk_score: 49 + risk_score: 36 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_sudo_or_su_execution.yml b/detections/endpoint/linux_auditd_sudo_or_su_execution.yml index eb9bd249f1..7e6a5cadd3 100644 --- a/detections/endpoint/linux_auditd_sudo_or_su_execution.yml +++ b/detections/endpoint/linux_auditd_sudo_or_su_execution.yml @@ -9,7 +9,7 @@ description: The following analytic detects the execution of the "sudo" or "su" data_source: - Linux Auditd Proctitle search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host as dest | where LIKE(process_exec, "%sudo %") OR LIKE(process_exec, "%su %") | stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_sudo_or_su_execution_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. references: - https://attack.mitre.org/techniques/T1548/003/ diff --git a/detections/endpoint/linux_auditd_sysmon_service_stop.yml b/detections/endpoint/linux_auditd_sysmon_service_stop.yml index fe72f91575..f1c42a5312 100644 --- a/detections/endpoint/linux_auditd_sysmon_service_stop.yml +++ b/detections/endpoint/linux_auditd_sysmon_service_stop.yml @@ -9,7 +9,7 @@ description: The following analytic detects the suspicious sysmon service stop. data_source: - Linux Auditd Service Stop search: '`linux_auditd` type=SERVICE_STOP unit IN ("sysmon") | rename host as dest | stats count min(_time) as firstTime max(_time) as lastTime by type pid UID comm exe unit dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_sysmon_service_stop_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html @@ -31,7 +31,7 @@ tags: asset_type: Endpoint confidence: 80 impact: 80 - message: A service event - [$type$] event occured on host - [$dest$] to stop or disable the sysmon service. + message: A service event - [$type$] event occurred on host - [$dest$] to stop or disable the sysmon service. mitre_attack_id: - T1489 observable: diff --git a/detections/endpoint/linux_auditd_system_network_configuration_discovery.yml b/detections/endpoint/linux_auditd_system_network_configuration_discovery.yml index 2aa7efb626..0ed6958042 100644 --- a/detections/endpoint/linux_auditd_system_network_configuration_discovery.yml +++ b/detections/endpoint/linux_auditd_system_network_configuration_discovery.yml @@ -9,7 +9,7 @@ description: The following analytic detects suspicious system network configurat data_source: - Linux Auditd Syscall search: '`linux_auditd` type=SYSCALL comm IN ("arp", "ifconfig", "ip", "netstat", "firewall-cmd", "ufw", "iptables", "ss", "route") | bucket _time span=15m | rename host as dest | stats dc(comm) as unique_commands, values(comm) as comm, values(exe) as exe, values(SYSCALL) as SYSCALL, values(UID) as UID, values(ppid) as ppid, values(pid) as pid, count, min(_time) as firstTime, max(_time) as lastTime by success dest | where unique_commands >= 4 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_auditd_system_network_configuration_discovery_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html diff --git a/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml b/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml index 2d75516cb6..6957b46914 100644 --- a/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml +++ b/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml @@ -9,7 +9,7 @@ description: The following analytic detects suspicious modifications to Unix she data_source: - Linux Auditd Path search: '`linux_auditd` type=PATH name IN ("/etc/profile", "/etc/shells", "/etc/profile.d", "/etc/bash.bashrc", "/etc/bashrc", "/etc/zsh/zprofile", "/etc/zsh/zshrc", "/etc/zsh/zlogin", "/etc/zsh/zlogout", "/etc/csh.cshrc", "/etc/csh.login", "/root/.bashrc", "/root/.bash_profile", "root/.profile", "/root/.zshrc", "/root/.zprofile", "/home/*/.bashrc", "/home/*/.zshrc", "/home/*/.bash_profile", "/home/*/.zprofile", "/home/*/.profile", "/home/*/.bash_login", "/home/*/.bash_logout", "/home/*/.zlogin", "/home/*/.zlogout") | rename host as dest | stats count min(_time) as firstTime max(_time) as lastTime by name nametype OGID type dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_unix_shell_configuration_modification_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html @@ -32,7 +32,7 @@ tags: asset_type: Endpoint confidence: 80 impact: 80 - message: A [$type$] event occured on host - [$dest$] to modify the unix shell configuration file. + message: A [$type$] event occurred on host - [$dest$] to modify the unix shell configuration file. mitre_attack_id: - T1546.004 - T1546 diff --git a/detections/endpoint/linux_auditd_unload_module_via_modprobe.yml b/detections/endpoint/linux_auditd_unload_module_via_modprobe.yml index f34589900d..004c43ae77 100644 --- a/detections/endpoint/linux_auditd_unload_module_via_modprobe.yml +++ b/detections/endpoint/linux_auditd_unload_module_via_modprobe.yml @@ -9,7 +9,7 @@ description: The following analytic detects suspicious use of the `modprobe` com data_source: - Linux Auditd Execve search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | where LIKE (process_exec, "%modprobe%") AND LIKE (process_exec, "%-r %") | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_unload_module_via_modprobe_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html diff --git a/detections/endpoint/linux_auditd_virtual_disk_file_and_directory_discovery.yml b/detections/endpoint/linux_auditd_virtual_disk_file_and_directory_discovery.yml index cabae614c3..e5af078c4f 100644 --- a/detections/endpoint/linux_auditd_virtual_disk_file_and_directory_discovery.yml +++ b/detections/endpoint/linux_auditd_virtual_disk_file_and_directory_discovery.yml @@ -9,7 +9,7 @@ description: The following analytic detects suspicious discovery of virtual disk data_source: - Linux Auditd Execve search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | where (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%.vhd%") OR LIKE (process_exec, "%.vhdx%") OR LIKE (process_exec, "%.vmdk%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_virtual_disk_file_and_directory_discovery_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html diff --git a/detections/endpoint/linux_auditd_whoami_user_discovery.yml b/detections/endpoint/linux_auditd_whoami_user_discovery.yml index d2bf0d74d7..ca49aa1428 100644 --- a/detections/endpoint/linux_auditd_whoami_user_discovery.yml +++ b/detections/endpoint/linux_auditd_whoami_user_discovery.yml @@ -9,7 +9,7 @@ description: The following analytic detects the suspicious use of the whoami com data_source: - Linux Auditd Syscall search: '`linux_auditd` type=SYSCALL comm=whoami OR exe= "*/whoami" | rename host as dest | stats count min(_time) as firstTime max(_time) as lastTime by comm exe SYSCALL UID ppid pid dest success | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_whoami_user_discovery_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html diff --git a/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml b/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml index 4bf7f6a5b3..b1c621918f 100644 --- a/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml +++ b/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml @@ -1,16 +1,16 @@ name: Malicious PowerShell Process - Execution Policy Bypass id: 9be56c82-b1cc-4318-87eb-d138afaaca39 -version: 7 -date: '2024-09-30' +version: 8 +date: '2024-12-16' author: Rico Valdez, Mauricio Velazco, Splunk status: production -type: TTP +type: Anomaly description: The following analytic detects PowerShell processes initiated with parameters that bypass the local execution policy for scripts. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions containing specific flags like "-ex" or "bypass." This activity is significant because bypassing execution policies is a common tactic used by attackers to run malicious scripts undetected. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to further system compromise, data exfiltration, or persistent access within the environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` values(Processes.process_id) as process_id, values(Processes.parent_process_id) as parent_process_id values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process="* -ex*" OR Processes.process="* bypass *") by Processes.process_id, Processes.user, Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `malicious_powershell_process___execution_policy_bypass_filter`' +search: '| tstats `security_content_summariesonly` values(Processes.process_id) as process_id, values(Processes.parent_process_id) as parent_process_id values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process="* -ex*" AND Processes.process="* bypass *") by Processes.process_id, Processes.user, Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `malicious_powershell_process___execution_policy_bypass_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: There may be legitimate reasons to bypass the PowerShell execution policy. The PowerShell script being run with this parameter should be validated to ensure that it is legitimate. references: diff --git a/detections/endpoint/print_spooler_failed_to_load_a_plug_in.yml b/detections/endpoint/print_spooler_failed_to_load_a_plug_in.yml index 6724c98beb..30eeab74ba 100644 --- a/detections/endpoint/print_spooler_failed_to_load_a_plug_in.yml +++ b/detections/endpoint/print_spooler_failed_to_load_a_plug_in.yml @@ -34,7 +34,7 @@ tags: - CVE-2021-34527 - CVE-2021-1675 impact: 80 - message: Suspicious printer spooler errors have occured on endpoint $ComputerName$ with EventCode $EventCode$. + message: Suspicious printer spooler errors have occurred on endpoint $ComputerName$ with EventCode $EventCode$. mitre_attack_id: - T1547.012 - T1547 diff --git a/detections/endpoint/shim_database_installation_with_suspicious_parameters.yml b/detections/endpoint/shim_database_installation_with_suspicious_parameters.yml index 0f82de52f1..b93fb7da28 100644 --- a/detections/endpoint/shim_database_installation_with_suspicious_parameters.yml +++ b/detections/endpoint/shim_database_installation_with_suspicious_parameters.yml @@ -1,7 +1,7 @@ name: Shim Database Installation With Suspicious Parameters id: 404620de-46d8-48b6-90cc-8a8d7b0876a3 -version: '7' -date: '2024-11-28' +version: 8 +date: '2024-12-16' author: David Dorsey, Splunk status: production type: TTP @@ -17,7 +17,7 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = sdbinst.exe NOT Processes.process IN ("\"C:\\Windows\\System32\\sdbinst.exe\"", "C:\\Windows\\System32\\sdbinst.exe", "*-mm", "*-?") by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `shim_database_installation_with_suspicious_parameters_filter`' +search: '| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = sdbinst.exe NOT Processes.process IN ("\"C:\\Windows\\System32\\sdbinst.exe\"", "C:\\Windows\\System32\\sdbinst.exe", "*-mm", "*-?", "*-m -bg") by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `shim_database_installation_with_suspicious_parameters_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: None identified references: [] diff --git a/detections/endpoint/windows_domain_admin_impersonation_indicator.yml b/detections/endpoint/windows_domain_admin_impersonation_indicator.yml index aba0071eea..f2f62cc86d 100644 --- a/detections/endpoint/windows_domain_admin_impersonation_indicator.yml +++ b/detections/endpoint/windows_domain_admin_impersonation_indicator.yml @@ -33,7 +33,7 @@ search: '`wineventlog_security` EventCode=4627 LogonType=3 NOT TargetUserName I | fillnull value=NotDA username | search username = "NotDA" | `windows_domain_admin_impersonation_indicator_filter`' how_to_implement: To successfully implement this search, you need to be ingesting Authentication events across all endpoints and ingest Event Id 4627. Specifically, - the Audit Group Membership subcategory within the Logon Logooff category needs to + the Audit Group Membership subcategory within the Logon Logoff category needs to be enabled. Its crucial to note that the accuracy and effectiveness of this detection heavily rely on the users diligence in populating and regularly updating this lookup table. diff --git a/detections/endpoint/windows_service_creation_using_registry_entry.yml b/detections/endpoint/windows_service_creation_using_registry_entry.yml index d1a040c81b..ed5eb41ae3 100644 --- a/detections/endpoint/windows_service_creation_using_registry_entry.yml +++ b/detections/endpoint/windows_service_creation_using_registry_entry.yml @@ -1,16 +1,16 @@ name: Windows Service Creation Using Registry Entry id: 25212358-948e-11ec-ad47-acde48001122 -version: 7 -date: '2024-12-08' +version: 8 +date: '2025-01-03' author: Teoderick Contreras, Splunk, Steven Dick status: production -type: TTP +type: Anomaly description: The following analytic detects the modification of registry keys that define Windows services using reg.exe. This detection leverages Splunk to search for specific keywords in the registry path, value name, and value data fields. This activity is significant because it indicates potential unauthorized changes to service configurations, a common persistence technique used by attackers. If confirmed malicious, this could allow an attacker to maintain access, escalate privileges, or move laterally within the network, leading to data theft, ransomware, or other damaging outcomes. data_source: - Sysmon EventID 12 - Sysmon EventID 13 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE (Registry.registry_path="*\\SYSTEM\\CurrentControlSet\\Services*" Registry.registry_value_name + WHERE (Registry.registry_path="*\\SYSTEM\\CurrentControlSet\\Services\\*" Registry.registry_value_name = ImagePath) BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) diff --git a/playbooks/risk_notable_import_data.json b/playbooks/risk_notable_import_data.json index b88c0b461a..c9558e3e32 100644 --- a/playbooks/risk_notable_import_data.json +++ b/playbooks/risk_notable_import_data.json @@ -136,7 +136,7 @@ "errors": {}, "id": "1", "type": "end", - "userCode": "\t\n # Error handling in case of playbook not being able to import data properly\n if not format_summary_note:\n raise RuntimeError(\"Error occured during import data and summary note is missing\")\n \n # This function is called after all actions are completed.\n # summary of all the action and/or all details of actions\n # can be collected here.\n\n # summary_json = phantom.get_summary()\n # if 'result' in summary_json:\n # for action_result in summary_json['result']:\n # if 'action_run_id' in action_result:\n # action_results = phantom.get_action_results(action_run_id=action_result['action_run_id'], result_data=False, flatten=False)\n # phantom.debug(action_results)\n\n", + "userCode": "\t\n # Error handling in case of playbook not being able to import data properly\n if not format_summary_note:\n raise RuntimeError(\"Error occurred during import data and summary note is missing\")\n \n # This function is called after all actions are completed.\n # summary of all the action and/or all details of actions\n # can be collected here.\n\n # summary_json = phantom.get_summary()\n # if 'result' in summary_json:\n # for action_result in summary_json['result']:\n # if 'action_run_id' in action_result:\n # action_results = phantom.get_action_results(action_run_id=action_result['action_run_id'], result_data=False, flatten=False)\n # phantom.debug(action_results)\n\n", "x": 960, "y": 1800 }, diff --git a/playbooks/risk_notable_import_data.py b/playbooks/risk_notable_import_data.py index f699597c80..d12c554957 100644 --- a/playbooks/risk_notable_import_data.py +++ b/playbooks/risk_notable_import_data.py @@ -579,7 +579,7 @@ def on_finish(container, summary): # Error handling in case of playbook not being able to import data properly if not format_summary_note: - raise RuntimeError("Error occured during import data and summary note is missing") + raise RuntimeError("Error occurred during import data and summary note is missing") # This function is called after all actions are completed. # summary of all the action and/or all details of actions From f06f5cd618a7a592d22b48a7711e903e397b7f5a Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Thu, 9 Jan 2025 13:39:03 +0100 Subject: [PATCH 02/37] rename rule and enhance metadata --- ...g_registry_entry.yml => windows_service_creation.yml} | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) rename detections/endpoint/{windows_service_creation_using_registry_entry.yml => windows_service_creation.yml} (80%) diff --git a/detections/endpoint/windows_service_creation_using_registry_entry.yml b/detections/endpoint/windows_service_creation.yml similarity index 80% rename from detections/endpoint/windows_service_creation_using_registry_entry.yml rename to detections/endpoint/windows_service_creation.yml index ed5eb41ae3..b36adf5b71 100644 --- a/detections/endpoint/windows_service_creation_using_registry_entry.yml +++ b/detections/endpoint/windows_service_creation.yml @@ -1,11 +1,11 @@ -name: Windows Service Creation Using Registry Entry +name: Windows Service Creation id: 25212358-948e-11ec-ad47-acde48001122 version: 8 date: '2025-01-03' author: Teoderick Contreras, Splunk, Steven Dick status: production type: Anomaly -description: The following analytic detects the modification of registry keys that define Windows services using reg.exe. This detection leverages Splunk to search for specific keywords in the registry path, value name, and value data fields. This activity is significant because it indicates potential unauthorized changes to service configurations, a common persistence technique used by attackers. If confirmed malicious, this could allow an attacker to maintain access, escalate privileges, or move laterally within the network, leading to data theft, ransomware, or other damaging outcomes. +description: The following analytic detects modifications to the "ImagePath" registry value part of registry keys that define Windows services "HKLM\\System\\CurrentControlSet\\Services\\*". This activity can be significant because it indicates potential unauthorized service creation, a common persistence technique used by attackers. If confirmed malicious, this could allow an attacker to maintain access, escalate privileges, or move laterally within the network, leading to data theft, ransomware, or other damaging outcomes. data_source: - Sysmon EventID 12 - Sysmon EventID 13 @@ -14,13 +14,12 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime = ImagePath) BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_creation_using_registry_entry_filter`' + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_creation_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 -known_false_positives: Third party tools may used this technique to create services - but not so common. +known_false_positives: Third party tools may used this technique to create services but not so common. references: - https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1574.011/T1574.011.md drilldown_searches: From 1f060bbddfcbb775b37a1c90c1504d986ff74b69 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Mon, 13 Jan 2025 22:20:46 +0100 Subject: [PATCH 03/37] update to analytics using net --- .../account_discovery_with_net_app.yml | 8 +- ...cmdline_tool_not_executed_in_cmd_shell.yml | 12 +-- .../domain_account_discovery_with_net_app.yml | 8 +- .../domain_group_discovery_with_net.yml | 8 +- .../endpoint/net_localgroup_discovery.yml | 8 +- .../remote_system_discovery_with_net.yml | 8 +- ...dows_attempt_to_stop_security_service.yml} | 18 ++--- ...e_local_administrator_account_via_net.yml} | 12 +-- ...dows_esx_admins_group_creation_via_net.yml | 12 +-- ...indows_excessive_service_stop_attempt.yml} | 12 +-- ...=> windows_excessive_usage_of_net_app.yml} | 10 +-- .../windows_group_discovery_via_net.yml | 75 +++++++++++++++++++ ..._network_connection_discovery_via_net.yml} | 8 +- ...ws_password_policy_discovery_with_net.yml} | 10 +-- ...ws_sensitive_group_discovery_with_net.yml} | 14 ++-- ...rvice_stop_via_net__and_sc_application.yml | 12 +-- ..._password_policy_to_unlimited_via_net.yml} | 19 ++--- ..._child_process_spawned_from_webserver.yml} | 12 +-- ....yml => windows_user_deletion_via_net.yml} | 10 +-- ....yml => windows_user_disabled_via_net.yml} | 10 +-- ...yml => windows_user_discovery_via_net.yml} | 10 +-- lookups/security_services.csv | 5 ++ macros/process_net.yml | 2 +- macros/process_sc.yml | 3 + 24 files changed, 195 insertions(+), 111 deletions(-) rename detections/endpoint/{attempt_to_stop_security_service.yml => windows_attempt_to_stop_security_service.yml} (75%) rename detections/endpoint/{create_local_admin_accounts_using_net_exe.yml => windows_create_local_administrator_account_via_net.yml} (72%) rename detections/endpoint/{excessive_service_stop_attempt.yml => windows_excessive_service_stop_attempt.yml} (73%) rename detections/endpoint/{excessive_usage_of_net_app.yml => windows_excessive_usage_of_net_app.yml} (84%) create mode 100644 detections/endpoint/windows_group_discovery_via_net.yml rename detections/endpoint/{network_connection_discovery_with_net.yml => windows_network_connection_discovery_via_net.yml} (86%) rename detections/endpoint/{password_policy_discovery_with_net.yml => windows_password_policy_discovery_with_net.yml} (69%) rename detections/endpoint/{elevated_group_discovery_with_net.yml => windows_sensitive_group_discovery_with_net.yml} (72%) rename detections/endpoint/{windows_valid_account_with_never_expires_password.yml => windows_set_account_password_policy_to_unlimited_via_net.yml} (83%) rename detections/endpoint/{detect_webshell_exploit_behavior.yml => windows_suspicious_child_process_spawned_from_webserver.yml} (95%) rename detections/endpoint/{deleting_of_net_users.yml => windows_user_deletion_via_net.yml} (91%) rename detections/endpoint/{disabling_net_user_account.yml => windows_user_disabled_via_net.yml} (91%) rename detections/endpoint/{local_account_discovery_with_net.yml => windows_user_discovery_via_net.yml} (79%) create mode 100644 macros/process_sc.yml diff --git a/detections/endpoint/account_discovery_with_net_app.yml b/detections/endpoint/account_discovery_with_net_app.yml index dd3ef42497..6e5ff417e4 100644 --- a/detections/endpoint/account_discovery_with_net_app.yml +++ b/detections/endpoint/account_discovery_with_net_app.yml @@ -1,11 +1,11 @@ name: Account Discovery With Net App id: 339805ce-ac30-11eb-b87d-acde48001122 -version: 7 -date: '2024-09-30' +version: 8 +date: '2025-01-13' author: Teoderick Contreras, Splunk, TheLawsOfChaos, Github Community -status: production +status: deprecated type: TTP -description: The following analytic detects potential account discovery activities using the 'net' command, commonly employed by malware like Trickbot for reconnaissance. It leverages Endpoint Detection and Response (EDR) data, focusing on specific command-line patterns and process relationships. This activity is significant as it often precedes further malicious actions, such as lateral movement or privilege escalation. If confirmed malicious, attackers could gain valuable information about user accounts, enabling them to escalate privileges or move laterally within the network, posing a significant security risk. +description: The following analytic has been deprecated in favour of the more generic "45e52536-ae42-11eb-b5c6-acde48001122". The following analytic detects potential account discovery activities using the 'net' command, commonly employed by malware like Trickbot for reconnaissance. It leverages Endpoint Detection and Response (EDR) data, focusing on specific command-line patterns and process relationships. This activity is significant as it often precedes further malicious actions, such as lateral movement or privilege escalation. If confirmed malicious, attackers could gain valuable information about user accounts, enabling them to escalate privileges or move laterally within the network, posing a significant security risk. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 diff --git a/detections/endpoint/cmdline_tool_not_executed_in_cmd_shell.yml b/detections/endpoint/cmdline_tool_not_executed_in_cmd_shell.yml index 798df38377..a0855e0861 100644 --- a/detections/endpoint/cmdline_tool_not_executed_in_cmd_shell.yml +++ b/detections/endpoint/cmdline_tool_not_executed_in_cmd_shell.yml @@ -1,16 +1,16 @@ -name: Cmdline Tool Not Executed In CMD Shell +name: Windows Cmdline Tool Execution From Non-Shell Process id: 6c3f7dd8-153c-11ec-ac2d-acde48001122 -version: 5 -date: '2024-09-30' +version: 6 +date: '2025-01-13' author: Teoderick Contreras, Splunk status: production -type: TTP -description: The following analytic identifies instances where `ipconfig.exe`, `systeminfo.exe`, or similar tools are executed by a non-standard parent process, excluding CMD, PowerShell, or Explorer. This detection leverages Endpoint Detection and Response (EDR) telemetry to monitor process creation events. Such behavior is significant as it may indicate adversaries using injected processes to perform system discovery, a tactic observed in FIN7's JSSLoader. If confirmed malicious, this activity could allow attackers to gather critical host information, aiding in further exploitation or lateral movement within the network. +type: Anomaly +description: The following analytic identifies instances where `ipconfig.exe`, `systeminfo.exe`, or similar tools are executed by a non-standard shell parent process, excluding CMD, PowerShell, or Explorer. This detection leverages Endpoint Detection and Response (EDR) telemetry to monitor process creation events. Such behavior is significant as it may indicate adversaries using injected processes to perform system discovery, a tactic observed in FIN7's JSSLoader. If confirmed malicious, this activity could allow attackers to gather critical host information, aiding in further exploitation or lateral movement within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = "ipconfig.exe" OR Processes.process_name = "systeminfo.exe" OR Processes.process_name = "net.exe" OR Processes.process_name = "net1.exe" OR Processes.process_name = "arp.exe" OR Processes.process_name = "nslookup.exe" OR Processes.process_name = "route.exe" OR Processes.process_name = "netstat.exe" OR Processes.process_name = "whoami.exe") AND NOT (Processes.parent_process_name = "cmd.exe" OR Processes.parent_process_name = "powershell*" OR Processes.parent_process_name="pwsh.exe" OR Processes.parent_process_name = "explorer.exe") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process_id Processes.process Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmdline_tool_not_executed_in_cmd_shell_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = "ipconfig.exe" OR Processes.process_name = "systeminfo.exe" OR Processes.process_name = "net1.exe" OR Processes.process_name = "arp.exe" OR Processes.process_name = "nslookup.exe" OR Processes.process_name = "route.exe" OR Processes.process_name = "netstat.exe" OR Processes.process_name = "whoami.exe") AND NOT (Processes.parent_process_name = "cmd.exe" OR Processes.parent_process_name = "powershell.exe" OR Processes.parent_process_name = "powershell_ise.exe" OR Processes.parent_process_name="pwsh.exe" OR Processes.parent_process_name = "explorer.exe") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process_id Processes.process Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_cmdline_tool_execution_from_non_shell_process_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: A network operator or systems administrator may utilize an automated host discovery application that may generate false positives. Filter as needed. references: diff --git a/detections/endpoint/domain_account_discovery_with_net_app.yml b/detections/endpoint/domain_account_discovery_with_net_app.yml index aaff8ce6a9..e640567455 100644 --- a/detections/endpoint/domain_account_discovery_with_net_app.yml +++ b/detections/endpoint/domain_account_discovery_with_net_app.yml @@ -1,11 +1,11 @@ name: Domain Account Discovery With Net App id: 98f6a534-04c2-11ec-96b2-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2025-01-13' author: Teoderick Contreras, Mauricio Velazco, Splunk -status: production +status: deprecated type: TTP -description: The following analytic detects the execution of `net.exe` or `net1.exe` with command-line arguments used to query domain users. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it may indicate an attempt by adversaries to enumerate domain users for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could allow attackers to map out user accounts, potentially leading to further exploitation or lateral movement within the network. +description: This following analytic has been deprecated in favour of the generic version "". The following analytic detects the execution of `net.exe` or `net1.exe` with command-line arguments used to query domain users. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it may indicate an attempt by adversaries to enumerate domain users for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could allow attackers to map out user accounts, potentially leading to further exploitation or lateral movement within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 diff --git a/detections/endpoint/domain_group_discovery_with_net.yml b/detections/endpoint/domain_group_discovery_with_net.yml index f4dba5c26b..1b1c2d1460 100644 --- a/detections/endpoint/domain_group_discovery_with_net.yml +++ b/detections/endpoint/domain_group_discovery_with_net.yml @@ -1,11 +1,11 @@ name: Domain Group Discovery With Net id: f2f14ac7-fa81-471a-80d5-7eb65c3c7349 -version: 5 -date: '2024-12-11' +version: 6 +date: '2025-01-13' author: Mauricio Velazco, Splunk -status: production +status: deprecated type: Hunting -description: The following analytic identifies the execution of `net.exe` with command-line arguments used to query domain groups, specifically `group /domain`. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant as it indicates potential reconnaissance efforts by adversaries to enumerate domain groups, which is a common step in Active Directory Discovery. If confirmed malicious, this behavior could allow attackers to gain insights into the domain structure, aiding in further attacks such as privilege escalation or lateral movement. +description: This search has been deprecated in favour of the more generic analytic "Domain Group Discovery With Net". The following analytic identifies the execution of `net.exe` with command-line arguments used to query domain groups, specifically `group /domain`. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant as it indicates potential reconnaissance efforts by adversaries to enumerate domain groups, which is a common step in Active Directory Discovery. If confirmed malicious, this behavior could allow attackers to gain insights into the domain structure, aiding in further attacks such as privilege escalation or lateral movement. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 diff --git a/detections/endpoint/net_localgroup_discovery.yml b/detections/endpoint/net_localgroup_discovery.yml index 3a1e501a64..dbf16c85fa 100644 --- a/detections/endpoint/net_localgroup_discovery.yml +++ b/detections/endpoint/net_localgroup_discovery.yml @@ -1,11 +1,11 @@ name: Net Localgroup Discovery id: 54f5201e-155b-11ec-a6e2-acde48001122 -version: 4 -date: '2024-11-26' +version: 5 +date: '2025-01-13' author: Michael Haag, Splunk -status: production +status: deprecated type: Hunting -description: The following analytic detects the execution of the `net localgroup` command, which is used to enumerate local group memberships on a system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it can indicate an attacker is gathering information about local group memberships, potentially to identify privileged accounts. If confirmed malicious, this behavior could lead to further privilege escalation or lateral movement within the network. +description: This search has been deprecated in favour of the more generic analytic "Domain Group Discovery With Net". The following analytic detects the execution of the `net localgroup` command, which is used to enumerate local group memberships on a system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it can indicate an attacker is gathering information about local group memberships, potentially to identify privileged accounts. If confirmed malicious, this behavior could lead to further privilege escalation or lateral movement within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 diff --git a/detections/endpoint/remote_system_discovery_with_net.yml b/detections/endpoint/remote_system_discovery_with_net.yml index ba54daf19a..a9570ff02a 100644 --- a/detections/endpoint/remote_system_discovery_with_net.yml +++ b/detections/endpoint/remote_system_discovery_with_net.yml @@ -1,11 +1,11 @@ name: Remote System Discovery with Net id: 9df16706-04a2-41e2-bbfe-9b38b34409d3 -version: 4 -date: '2024-11-26' +version: 5 +date: '2025-01-13' author: Mauricio Velazco, Splunk -status: production +status: deprecated type: Hunting -description: The following analytic identifies the execution of `net.exe` or `net1.exe` with command-line arguments used to discover remote systems, such as `domain computers /domain`. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant as it indicates potential reconnaissance efforts by adversaries or Red Teams to map out networked systems and Active Directory structures. If confirmed malicious, this behavior could lead to further network exploitation, privilege escalation, or lateral movement within the environment. +description: The following analytic has been deprecated in favour of two dedicated analytics "4dc3951f-b3f8-4f46-b412-76a483f72277" and "a23a0e20-0b1b-4a07-82e5-ec5f70811e7a" .The following analytic identifies the execution of `net.exe` or `net1.exe` with command-line arguments used to discover remote systems, such as `domain computers /domain`. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant as it indicates potential reconnaissance efforts by adversaries or Red Teams to map out networked systems and Active Directory structures. If confirmed malicious, this behavior could lead to further network exploitation, privilege escalation, or lateral movement within the environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 diff --git a/detections/endpoint/attempt_to_stop_security_service.yml b/detections/endpoint/windows_attempt_to_stop_security_service.yml similarity index 75% rename from detections/endpoint/attempt_to_stop_security_service.yml rename to detections/endpoint/windows_attempt_to_stop_security_service.yml index a84ecb6ecc..1083c18407 100644 --- a/detections/endpoint/attempt_to_stop_security_service.yml +++ b/detections/endpoint/windows_attempt_to_stop_security_service.yml @@ -1,16 +1,16 @@ -name: Attempt To Stop Security Service +name: Windows Attempt To Stop Security Service id: c8e349c6-b97c-486e-8949-bd7bcd1f3910 -version: 7 -date: '2024-09-30' -author: Rico Valdez, Splunk +version: 8 +date: '2025-01-13' +author: Rico Valdez, Nasreddine Bencherchali, Splunk status: production type: TTP -description: The following analytic detects attempts to stop security-related services on an endpoint, which may indicate malicious activity. It leverages data from Endpoint Detection and Response (EDR) agents, specifically searching for processes involving the "sc.exe" command with the "stop" parameter. This activity is significant because disabling security services can undermine the organization's security posture, potentially leading to unauthorized access, data exfiltration, or further attacks like malware installation or privilege escalation. If confirmed malicious, this behavior could compromise the endpoint and the entire network, necessitating immediate investigation and response. +description: The following analytic detects attempts to stop security-related services on an endpoint, which may indicate malicious activity. It leverages data from Endpoint Detection and Response (EDR) agents, specifically searching for processes involving the "sc.exe" or "net.exe" command with the "stop" parameter or the PowerShell "Stop-Service" cmdlet. This activity is significant because disabling security services can undermine the organization's security posture, potentially leading to unauthorized access, data exfiltration, or further attacks like malware installation or privilege escalation. If confirmed malicious, this behavior could compromise the endpoint and the entire network, necessitating immediate investigation and response. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` OR Processes.process_name = sc.exe Processes.process="* stop *" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |lookup security_services_lookup service as process OUTPUTNEW category, description | search category=security | `attempt_to_stop_security_service_filter`' +search: '| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where ((`process_net` OR `process_sc`) Processes.process="* stop *") OR Processes.process="*Stop-Service *" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |lookup security_services_lookup service as process OUTPUTNEW category, description | search category=security | `windows_attempt_to_stop_security_service_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: None identified. Attempts to disable security-related services should be identified and understood. references: @@ -34,8 +34,8 @@ tags: - Azorult - Trickbot asset_type: Endpoint - confidence: 50 - impact: 40 + confidence: 80 + impact: 80 message: An instance of $parent_process_name$ spawning $process_name$ was identified attempting to disable security services on endpoint $dest$ by user $user$. mitre_attack_id: - T1562.001 @@ -74,7 +74,7 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 20 + risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/create_local_admin_accounts_using_net_exe.yml b/detections/endpoint/windows_create_local_administrator_account_via_net.yml similarity index 72% rename from detections/endpoint/create_local_admin_accounts_using_net_exe.yml rename to detections/endpoint/windows_create_local_administrator_account_via_net.yml index 5a6097eadc..118809b4c7 100644 --- a/detections/endpoint/create_local_admin_accounts_using_net_exe.yml +++ b/detections/endpoint/windows_create_local_administrator_account_via_net.yml @@ -1,16 +1,16 @@ -name: Create local admin accounts using net exe +name: Windows Create Local Administrator Account Via Net id: b89919ed-fe5f-492c-b139-151bb162040e -version: 13 -date: '2024-11-26' +version: 14 +date: '2025-01-13' author: Bhavin Patel, Splunk status: production -type: TTP -description: The following analytic detects the creation of local administrator accounts using the net.exe command. It leverages Endpoint Detection and Response (EDR) data to identify processes named net.exe or net1.exe with the "/add" parameter and keywords related to administrator accounts. This activity is significant as it may indicate an attacker attempting to gain persistent access or escalate privileges. If confirmed malicious, this could lead to unauthorized access, data theft, or further system compromise. Review the process details, user context, and related artifacts to determine the legitimacy of the activity. +type: Anomaly +description: The following analytic detects the creation of a local administrator account using the "net.exe" command. It leverages Endpoint Detection and Response (EDR) data to identify processes named "net.exe" with the "/add" parameter and keywords related to administrator accounts. This activity is significant as it may indicate an attacker attempting to gain persistent access or escalate privileges. If confirmed malicious, this could lead to unauthorized access, data theft, or further system compromise. Review the process details, user context, and related artifacts to determine the legitimacy of the activity. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count values(Processes.user) as user values(Processes.parent_process) as parent_process values(parent_process_name) as parent_process_name min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND Processes.process=*/add* AND (Processes.process=*administrators* OR Processes.process=*administratoren* OR Processes.process=*administrateurs* OR Processes.process=*administrador* OR Processes.process=*amministratori* OR Processes.process=*administratorer* OR Processes.process=*Rendszergazda* OR Processes.process=*Администратор* OR Processes.process=*Administratör*) by Processes.process Processes.process_name Processes.parent_process_name Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `create_local_admin_accounts_using_net_exe_filter`' +search: '| tstats `security_content_summariesonly` count values(Processes.user) as user values(Processes.parent_process) as parent_process values(parent_process_name) as parent_process_name min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND Processes.process=*/add* AND (Processes.process IN ("*administrators*", "*administratoren*", "*administrateurs*", "*administrador*", "*amministratori*", "*administratorer*", "*Rendszergazda*", "*Администратор*", "*Administratör*") by Processes.process Processes.process_name Processes.parent_process_name Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_create_local_administrator_account_via_net_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: Administrators often leverage net.exe to create admin accounts. references: [] diff --git a/detections/endpoint/windows_esx_admins_group_creation_via_net.yml b/detections/endpoint/windows_esx_admins_group_creation_via_net.yml index 8f258e1d94..61ff643051 100644 --- a/detections/endpoint/windows_esx_admins_group_creation_via_net.yml +++ b/detections/endpoint/windows_esx_admins_group_creation_via_net.yml @@ -1,14 +1,16 @@ name: Windows ESX Admins Group Creation via Net id: 3d7df60b-3332-4667-8090-afe03e08dce0 -version: 3 -date: '2024-11-26' +version: 4 +date: '2025-01-13' author: Michael Haag, Splunk +status: production +type: TTP data_source: - Sysmon EventID 1 -type: TTP -status: production +- Windows Event Log Security 4688 +- CrowdStrike ProcessRollup2 description: This analytic detects attempts to create an "ESX Admins" group using the Windows net.exe or net1.exe commands. This activity may indicate an attempt to exploit the VMware ESXi Active Directory Integration Authentication Bypass vulnerability (CVE-2024-37085). Attackers can use this method to gain unauthorized access to ESXi hosts by recreating the "ESX Admins" group after its deletion from Active Directory. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND (Processes.process="*group \"ESX Admins\"*" OR Processes.process="*group ESX Admins*") AND Processes.process="*/add*" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_esx_admins_group_creation_via_net_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` Processes.process="*group*" Processes.process="*ESX Admins*" AND Processes.process="*/add*" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_esx_admins_group_creation_via_net_filter`' how_to_implement: To successfully implement this search, you need to be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. known_false_positives: Legitimate administrators might create an "ESX Admins" group for valid reasons. Verify that the group creation is authorized and part of normal administrative tasks. Consider the context of the action, such as the user performing it and any related activities. references: diff --git a/detections/endpoint/excessive_service_stop_attempt.yml b/detections/endpoint/windows_excessive_service_stop_attempt.yml similarity index 73% rename from detections/endpoint/excessive_service_stop_attempt.yml rename to detections/endpoint/windows_excessive_service_stop_attempt.yml index 90dcb51e91..2ae9713bcd 100644 --- a/detections/endpoint/excessive_service_stop_attempt.yml +++ b/detections/endpoint/windows_excessive_service_stop_attempt.yml @@ -1,16 +1,16 @@ -name: Excessive Service Stop Attempt +name: Windows Excessive Service Stop Attempt id: ae8d3f4a-acd7-11eb-8846-acde48001122 -version: 5 -date: '2024-09-30' +version: 6 +date: '2025-01-13' author: Teoderick Contreras, Splunk status: production -type: Anomaly -description: The following analytic detects multiple attempts to stop or delete services on a system using `net.exe`, `sc.exe`, or `net1.exe`. It leverages Endpoint Detection and Response (EDR) telemetry, focusing on process names and command-line executions within a one-minute window. This activity is significant as it may indicate an adversary attempting to disable security or critical services to evade detection and further their objectives. If confirmed malicious, this could lead to the attacker gaining persistence, escalating privileges, or disrupting essential services, thereby compromising the system's security posture. +type: TTP +description: The following analytic detects multiple attempts to stop or delete services on a system using `net.exe` or `sc.exe`. It leverages Endpoint Detection and Response (EDR) telemetry, focusing on process names and command-line executions within a one-minute window. This activity is significant as it may indicate an adversary attempting to disable security or critical services to evade detection and further their objectives. If confirmed malicious, this could lead to the attacker gaining persistence, escalating privileges, or disrupting essential services, thereby compromising the system's security posture. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` OR Processes.process_name = "sc.exe" OR Processes.process_name = "net1.exe" AND Processes.process="*stop*" OR Processes.process="*delete*" by Processes.process_name Processes.original_file_name Processes.parent_process_name Processes.dest Processes.user _time span=1m | where count >=5 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_service_stop_attempt_filter`' +search: '| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (`process_net` OR `process_sc`) AND Processes.process="*stop*" OR Processes.process="*delete*" by Processes.process_name Processes.original_file_name Processes.parent_process_name Processes.dest Processes.user _time span=1m | where count >=5 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_excessive_service_stop_attempt_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: unknown references: diff --git a/detections/endpoint/excessive_usage_of_net_app.yml b/detections/endpoint/windows_excessive_usage_of_net_app.yml similarity index 84% rename from detections/endpoint/excessive_usage_of_net_app.yml rename to detections/endpoint/windows_excessive_usage_of_net_app.yml index 9d5f2390f0..3cbb7b6a9d 100644 --- a/detections/endpoint/excessive_usage_of_net_app.yml +++ b/detections/endpoint/windows_excessive_usage_of_net_app.yml @@ -1,16 +1,16 @@ -name: Excessive Usage Of Net App +name: Windows Excessive Usage Of Net App id: 45e52536-ae42-11eb-b5c6-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2025-01-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects excessive usage of `net.exe` or `net1.exe` within a one-minute interval. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This behavior is significant as it may indicate an adversary attempting to create, delete, or disable multiple user accounts rapidly, a tactic observed in Monero mining incidents. If confirmed malicious, this activity could lead to unauthorized user account manipulation, potentially compromising system integrity and enabling further malicious actions. +description: The following analytic detects excessive usage of `net.exe` within a one-minute interval. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This behavior is significant as it may indicate an adversary attempting to create, delete, or disable multiple user accounts rapidly, a tactic observed in Monero mining incidents. If confirmed malicious, this activity could lead to unauthorized user account manipulation, potentially compromising system integrity and enabling further malicious actions. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` by Processes.process_name Processes.parent_process_name Processes.original_file_name Processes.dest Processes.user _time span=1m | where count >=10 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_net_app_filter`' +search: '| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` by Processes.process_name Processes.parent_process_name Processes.original_file_name Processes.dest Processes.user _time span=1m | where count >=10 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_excessive_usage_of_net_app_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: unknown. Filter as needed. Modify the time span as needed. references: diff --git a/detections/endpoint/windows_group_discovery_via_net.yml b/detections/endpoint/windows_group_discovery_via_net.yml new file mode 100644 index 0000000000..10cb8b78e2 --- /dev/null +++ b/detections/endpoint/windows_group_discovery_via_net.yml @@ -0,0 +1,75 @@ +name: Domain Group Discovery With Net +id: c5c8e0f3-147a-43da-bf04-4cfaec27dc44 +version: 1 +date: '2025-01-13' +author: Michael Haag, Mauricio Velazco, Splunk +status: production +type: Hunting +description: The following analytic identifies the execution of `net.exe` with command-line arguments used to query global, local and domain groups. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant as it indicates potential reconnaissance efforts by adversaries to enumerate local or domain groups, which is a common step in Active Directory or privileged accounts discovery. If confirmed malicious, this behavior could allow attackers to gain insights into the domain structure, aiding in further attacks such as privilege escalation or lateral movement. +data_source: +- Sysmon EventID 1 +- Windows Event Log Security 4688 +- CrowdStrike ProcessRollup2 +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND (Processes.process=*group* AND Processes.process=*/do*) AND NOT (Processes.process="*/add" OR Processes.process="*/delete") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_group_discovery_with_net_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: Administrators or power users may use this command for troubleshooting. +references: +- https://attack.mitre.org/techniques/T1069/002/ +- https://attack.mitre.org/techniques/T1069/001/ +- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md +- https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF +- https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/ +tags: + analytic_story: + - Windows Post-Exploitation + - Active Directory Discovery + - Prestige Ransomware + - Graceful Wipe Out Attack + - Rhysida Ransomware + - Cleo File Transfer Software + - Volt Typhoon + - IcedID + - Windows Discovery Techniques + - Azorult + asset_type: Endpoint + confidence: 50 + impact: 30 + message: Local or domain group enumeration on $dest$ by $user$ + mitre_attack_id: + - T1069 + - T1069.001 + - T1069.002 + observable: + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - Processes.dest + - Processes.user + - Processes.parent_process_name + - Processes.parent_process + - Processes.original_file_name + - Processes.process_name + - Processes.process + - Processes.process_id + - Processes.parent_process_path + - Processes.process_path + - Processes.parent_process_id + risk_score: 15 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.001/atomic_red_team/windows-sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog \ No newline at end of file diff --git a/detections/endpoint/network_connection_discovery_with_net.yml b/detections/endpoint/windows_network_connection_discovery_via_net.yml similarity index 86% rename from detections/endpoint/network_connection_discovery_with_net.yml rename to detections/endpoint/windows_network_connection_discovery_via_net.yml index f708fb4466..61e696275a 100644 --- a/detections/endpoint/network_connection_discovery_with_net.yml +++ b/detections/endpoint/windows_network_connection_discovery_via_net.yml @@ -1,7 +1,7 @@ -name: Network Connection Discovery With Net +name: Windows Network Connection Discovery Via Net id: 640337e5-6e41-4b7f-af06-9d9eab5e1e2d -version: 4 -date: '2024-11-26' +version: 5 +date: '2025-01-13' author: Mauricio Velazco, Splunk status: production type: Hunting @@ -10,7 +10,7 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND (Processes.process=*use*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `network_connection_discovery_with_net_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND (Processes.process=*use) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_network_connection_discovery_via_net_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: diff --git a/detections/endpoint/password_policy_discovery_with_net.yml b/detections/endpoint/windows_password_policy_discovery_with_net.yml similarity index 69% rename from detections/endpoint/password_policy_discovery_with_net.yml rename to detections/endpoint/windows_password_policy_discovery_with_net.yml index 669229a3a3..d85bbd0440 100644 --- a/detections/endpoint/password_policy_discovery_with_net.yml +++ b/detections/endpoint/windows_password_policy_discovery_with_net.yml @@ -1,16 +1,16 @@ -name: Password Policy Discovery with Net +name: Windows Password Policy Discovery with Net id: 09336538-065a-11ec-8665-acde48001122 -version: 5 -date: '2024-11-26' +version: 6 +date: '2025-01-13' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic identifies the execution of `net.exe` or `net1.exe` with command line arguments aimed at obtaining the domain password policy. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to gather information about Active Directory password policies. If confirmed malicious, this behavior could allow attackers to understand password complexity requirements, aiding in brute-force or password-guessing attacks, ultimately compromising user accounts and gaining unauthorized access to the network. +description: The following analytic identifies the execution of `net.exe` with command line arguments aimed at obtaining the computer or domain password policy. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to gather information about Active Directory password policies. If confirmed malicious, this behavior could allow attackers to understand password complexity requirements, aiding in brute-force or password-guessing attacks, ultimately compromising user accounts and gaining unauthorized access to the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND Processes.process = "*accounts*" AND Processes.process = "*/domain*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `password_policy_discovery_with_net_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND Processes.process = "*accounts" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_password_policy_discovery_with_net_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: diff --git a/detections/endpoint/elevated_group_discovery_with_net.yml b/detections/endpoint/windows_sensitive_group_discovery_with_net.yml similarity index 72% rename from detections/endpoint/elevated_group_discovery_with_net.yml rename to detections/endpoint/windows_sensitive_group_discovery_with_net.yml index 8b4862a20d..d02a2c241a 100644 --- a/detections/endpoint/elevated_group_discovery_with_net.yml +++ b/detections/endpoint/windows_sensitive_group_discovery_with_net.yml @@ -1,16 +1,16 @@ -name: Elevated Group Discovery With Net +name: Windows Sensitive Group Discovery With Net id: a23a0e20-0b1b-4a07-82e5-ec5f70811e7a -version: 4 -date: '2024-11-26' +version: 5 +date: '2025-01-13' author: Mauricio Velazco, Splunk status: production -type: TTP -description: The following analytic detects the execution of `net.exe` or `net1.exe` with command-line arguments used to query elevated domain groups. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to identify high-privileged users within Active Directory. If confirmed malicious, this behavior could lead to further attacks aimed at compromising privileged accounts, escalating privileges, or gaining unauthorized access to sensitive systems and data. +type: Anomaly +description: The following analytic detects the execution of `net.exe` with command-line arguments used to query elevated domain or sensitive groups. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to identify high-privileged users within Active Directory. If confirmed malicious, this behavior could lead to further attacks aimed at compromising privileged accounts, escalating privileges, or gaining unauthorized access to sensitive systems and data. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND (Processes.process="*group*" AND Processes.process="*/do*") (Processes.process="*Domain Admins*" OR Processes.process="*Enterprise Admins*" OR Processes.process="*Schema Admins*" OR Processes.process="*Account Operators*" OR Processes.process="*Server Operators*" OR Processes.process="*Protected Users*" OR Processes.process="*Dns Admins*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `elevated_group_discovery_with_net_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` Processes.process="*group*" Processes.process IN ("*Domain Admins*", "*Enterprise Admins*", "*Schema Admins*", "*Account Operators*", "*Server Operators*", "*Protected Users*", "*Dns Admins*", "*Domain Computers*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_sensitive_group_discovery_with_net_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: @@ -18,6 +18,7 @@ references: - https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory - https://adsecurity.org/?p=3658 - https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF +- https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/ drilldown_searches: - name: View the detection results for - "$dest$" search: '%original_detection_search% | search dest = "$dest$"' @@ -33,6 +34,7 @@ tags: - Volt Typhoon - Rhysida Ransomware - BlackSuit Ransomware + - IcedID asset_type: Endpoint confidence: 70 impact: 30 diff --git a/detections/endpoint/windows_service_stop_via_net__and_sc_application.yml b/detections/endpoint/windows_service_stop_via_net__and_sc_application.yml index a610acb064..093c38aa47 100644 --- a/detections/endpoint/windows_service_stop_via_net__and_sc_application.yml +++ b/detections/endpoint/windows_service_stop_via_net__and_sc_application.yml @@ -1,16 +1,16 @@ -name: Windows Service Stop Via Net and SC Application +name: Windows Service Stop Attempt id: 827af04b-0d08-479b-9b84-b7d4644e4b80 -version: 3 -date: '2024-09-30' +version: 4 +date: '2025-01-13' author: Teoderick Contreras, Splunk status: production -type: Anomaly -description: The following analytic identifies attempts to stop services on a system using `net.exe` or `sc.exe`. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, GUIDs, and command-line executions. This activity is significant as adversaries often terminate security or critical services to evade detection and further their objectives. If confirmed malicious, this behavior could allow attackers to disable security defenses, facilitate ransomware encryption, or disrupt essential services, leading to potential data loss or system compromise. +type: Hunting +description: The following analytic identifies attempts to stop services on a system using `net.exe`, `sc.exe` or the "Stop-Service" cmdlet. It leverages Endpoint Detection and Response (EDR) telemetry. This activity can be significant as adversaries often terminate security or critical services to evade detection and further their objectives. If confirmed malicious, this behavior could allow attackers to disable security defenses, facilitate ransomware encryption, or disrupt essential services, leading to potential data loss or system compromise. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` OR Processes.process_name = "sc.exe" OR Processes.original_file_name= "sc.exe" AND Processes.process="*stop*" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_stop_via_net__and_sc_application_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where ((`process_net` OR `process_sc`) Processes.process="* stop *") OR Processes.process="*Stop-Service *" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_stop_via_net__and_sc_application_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: Windows OS or software may stop and restart services due to some critical update. references: diff --git a/detections/endpoint/windows_valid_account_with_never_expires_password.yml b/detections/endpoint/windows_set_account_password_policy_to_unlimited_via_net.yml similarity index 83% rename from detections/endpoint/windows_valid_account_with_never_expires_password.yml rename to detections/endpoint/windows_set_account_password_policy_to_unlimited_via_net.yml index a885aaf1ba..7d75a799ea 100644 --- a/detections/endpoint/windows_valid_account_with_never_expires_password.yml +++ b/detections/endpoint/windows_set_account_password_policy_to_unlimited_via_net.yml @@ -1,13 +1,13 @@ -name: Windows Valid Account With Never Expires Password +name: Windows Set Account Password Policy To Unlimited Via Net id: 73a931db-1830-48b3-8296-cd9cfa09c3c8 -version: '4' -date: '2024-11-28' -author: Teoderick Contreras, Splunk +version: 5 +date: '2025-01-13' +author: Teoderick Contreras, Nasreddine Bencherchali, Splunk status: production -type: TTP +type: Anomaly description: The following analytic detects the use of net.exe to update user account policies to set passwords as non-expiring. It leverages data from Endpoint Detection - and Response (EDR) agents, focusing on command-line executions involving "/maxpwage:unlimited". + and Response (EDR) agents, focusing on command-line executions involving "/maxpwage:unlimited" or "/maxpwage:49710", which achieve a similar outcome theoretically. This activity is significant as it can indicate an attempt to maintain persistence, escalate privileges, evade defenses, or facilitate lateral movement. If confirmed malicious, this behavior could allow an attacker to maintain long-term access to @@ -19,11 +19,8 @@ data_source: - CrowdStrike ProcessRollup2 search: '| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes - where `process_net` AND Processes.process="* accounts *" AND Processes.process="* - /maxpwage:unlimited" by Processes.dest Processes.user Processes.parent_process_name - Processes.process_name Processes.original_file_name Processes.process Processes.process_id - Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `windows_valid_account_with_never_expires_password_filter`' + where `process_net` AND Processes.process="* accounts *" AND (Processes.process="* + /maxpwage:unlimited" OR Processes.process="/maxpwage:49710") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_set_account_password_policy_to_unlimited_via_net_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, diff --git a/detections/endpoint/detect_webshell_exploit_behavior.yml b/detections/endpoint/windows_suspicious_child_process_spawned_from_webserver.yml similarity index 95% rename from detections/endpoint/detect_webshell_exploit_behavior.yml rename to detections/endpoint/windows_suspicious_child_process_spawned_from_webserver.yml index 49baa8e1aa..eb4ad12a70 100644 --- a/detections/endpoint/detect_webshell_exploit_behavior.yml +++ b/detections/endpoint/windows_suspicious_child_process_spawned_from_webserver.yml @@ -1,15 +1,15 @@ -name: Detect Webshell Exploit Behavior +name: Windows Suspicious Child Process Spawned From Web Server id: 22597426-6dbd-49bd-bcdc-4ec19857192f -version: '5' -date: '2024-11-28' +version: '6' +date: '2025-01-13' author: Steven Dick status: production type: TTP description: The following analytic identifies the execution of suspicious processes - typically associated with webshell activity on web servers. It detects when processes + typically associated with WebShell activity on web servers. It detects when processes like `cmd.exe`, `powershell.exe`, or `bash.exe` are spawned by web server processes such as `w3wp.exe` or `nginx.exe`. This behavior is significant as it may indicate - an adversary exploiting a web application vulnerability to install a webshell, providing + an adversary exploiting a web application vulnerability to install a WebShell, providing persistent access and command execution capabilities. If confirmed malicious, this activity could allow attackers to maintain control over the compromised server, execute arbitrary commands, and potentially escalate privileges or exfiltrate sensitive @@ -29,7 +29,7 @@ search: '| tstats `security_content_summariesonly` count max(_time) as lastTime, IN ("w3wp.exe", "http*.exe", "nginx*.exe", "php*.exe", "php-cgi*.exe","tomcat*.exe")) by Processes.dest,Processes.user,Processes.parent_process,Processes.parent_process_name,Processes.process,Processes.process_name | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `detect_webshell_exploit_behavior_filter`' + | `windows_suspicious_child_process_spawned_from_webserver_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, diff --git a/detections/endpoint/deleting_of_net_users.yml b/detections/endpoint/windows_user_deletion_via_net.yml similarity index 91% rename from detections/endpoint/deleting_of_net_users.yml rename to detections/endpoint/windows_user_deletion_via_net.yml index a322d9c3e4..5a371e904d 100644 --- a/detections/endpoint/deleting_of_net_users.yml +++ b/detections/endpoint/windows_user_deletion_via_net.yml @@ -1,16 +1,16 @@ -name: Deleting Of Net Users +name: Windows User Deletion Via Net id: 1c8c6f66-acce-11eb-aafb-acde48001122 -version: 5 -date: '2024-09-30' +version: 6 +date: '2025-01-13' author: Teoderick Contreras, Splunk status: production -type: TTP +type: Anomaly description: The following analytic detects the use of net.exe or net1.exe command-line to delete a user account on a system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line execution logs. This activity is significant as it may indicate an attempt to impair user accounts or cover tracks during lateral movement. If confirmed malicious, this could lead to unauthorized access removal, disruption of legitimate user activities, or concealment of adversarial actions, complicating incident response and forensic investigations. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND Processes.process="*user*" AND Processes.process="*/delete*" by Processes.process_name Processes.original_file_name Processes.dest Processes.user Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `deleting_of_net_users_filter`' +search: '| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND Processes.process="*user*" AND Processes.process="*/delete*" by Processes.process_name Processes.original_file_name Processes.dest Processes.user Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_user_deletion_via_net_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: System administrators or scripts may delete user accounts via this technique. Filter as needed. references: diff --git a/detections/endpoint/disabling_net_user_account.yml b/detections/endpoint/windows_user_disabled_via_net.yml similarity index 91% rename from detections/endpoint/disabling_net_user_account.yml rename to detections/endpoint/windows_user_disabled_via_net.yml index e7b75edae3..bdf3d0f53d 100644 --- a/detections/endpoint/disabling_net_user_account.yml +++ b/detections/endpoint/windows_user_disabled_via_net.yml @@ -1,16 +1,16 @@ -name: Disabling Net User Account +name: Windows User Disabled Via Net id: c0325326-acd6-11eb-98c2-acde48001122 -version: 5 -date: '2024-09-30' +version: 6 +date: '2025-01-13' author: Teoderick Contreras, Splunk status: production -type: TTP +type: Anomaly description: The following analytic detects the use of the `net.exe` utility to disable a user account via the command line. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant as it may indicate an adversary's attempt to disrupt user availability, potentially as a precursor to further malicious actions. If confirmed malicious, this could lead to denial of service for legitimate users, aiding the attacker in maintaining control or covering their tracks. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND Processes.process="*user*" AND Processes.process="*/active:no*" by Processes.process_name Processes.original_file_name Processes.dest Processes.user Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_net_user_account_filter`' +search: '| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND Processes.process="*user*" AND Processes.process="*/active:no*" by Processes.process_name Processes.original_file_name Processes.dest Processes.user Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_user_disabled_via_net_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: unknown references: diff --git a/detections/endpoint/local_account_discovery_with_net.yml b/detections/endpoint/windows_user_discovery_via_net.yml similarity index 79% rename from detections/endpoint/local_account_discovery_with_net.yml rename to detections/endpoint/windows_user_discovery_via_net.yml index c9a24daa9a..0e7a364c67 100644 --- a/detections/endpoint/local_account_discovery_with_net.yml +++ b/detections/endpoint/windows_user_discovery_via_net.yml @@ -1,8 +1,8 @@ -name: Local Account Discovery with Net +name: Windows User Discovery Via Net id: 5d0d4830-0133-11ec-bae3-acde48001122 -version: 4 -date: '2024-10-17' -author: Mauricio Velazco, Splunk +version: 5 +date: '2025-01-13' +author: Mauricio Velazco, Teoderick Contreras, Nasreddine Bencherchali, Splunk status: production type: Hunting description: The following analytic detects the execution of `net.exe` or `net1.exe` with command-line arguments `user` or `users` to query local user accounts. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to enumerate local users, which is a common step in situational awareness and Active Directory discovery. If confirmed malicious, this behavior could lead to further attacks, including privilege escalation and lateral movement within the network. @@ -10,7 +10,7 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` (Processes.process=*user OR Processes.process=*users) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `local_account_discovery_with_net_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` (Processes.process="*user" OR Processes.process="*users" OR Processes.process="*users *" OR Processes.process="*user *") AND NOT (Processes.process="*/add" OR Processes.process="*/delete") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_user_discovery_via_net_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: diff --git a/lookups/security_services.csv b/lookups/security_services.csv index b8982c6109..8aa2e35080 100644 --- a/lookups/security_services.csv +++ b/lookups/security_services.csv @@ -3,3 +3,8 @@ service,description,category *wscsvc*,Windows Security Center Service,security *windefend*,Windows Defender Service,security *sysmon*,Sysmon Driver,security +*csc_iseagent*,Cisco Secure Client - ISE Posture Agent,security +*csc_nvmagent*,Cisco Secure Client - Network Visibility Agent,security +*csc_umbrellaagent*,Cisco Secure Client - Umbrella Agent,security +*csc_swgagent*,Cisco Secure Client - Umbrella SWG Agent,security +*CiscoAMP*,Cisco Secure Endpoint,security diff --git a/macros/process_net.yml b/macros/process_net.yml index ca8bb9efa5..8ca4fcec5c 100644 --- a/macros/process_net.yml +++ b/macros/process_net.yml @@ -1,3 +1,3 @@ -definition: (Processes.process_name="net.exe" OR Processes.original_file_name="net.exe" OR Processes.process_name="net1.exe" OR Processes.original_file_name="net1.exe") +definition: (Processes.process_name="net1.exe" OR Processes.original_file_name="net1.exe") description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/ name: process_net \ No newline at end of file diff --git a/macros/process_sc.yml b/macros/process_sc.yml new file mode 100644 index 0000000000..c98f5c4685 --- /dev/null +++ b/macros/process_sc.yml @@ -0,0 +1,3 @@ +definition: (Processes.process_name="sc.exe" OR Processes.original_file_name="sc.exe") +description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/ +name: process_sc \ No newline at end of file From efa8b09ad3ca7aa6f84411361807157c55eb0243 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Tue, 14 Jan 2025 19:34:31 +0100 Subject: [PATCH 04/37] update powershell analytics --- ...ct_critical_alerts_from_security_tools.yml | 8 +- .../endpoint/excel_spawning_powershell.yml | 9 +- .../excel_spawning_windows_script_host.yml | 7 +- .../microsoft_defender_atp_alerts.yml | 2 +- .../microsoft_defender_incident_alerts.yml | 2 +- ...ice_application_spawn_regsvr32_process.yml | 9 +- ...ice_application_spawn_rundll32_process.yml | 9 +- .../office_product_spawn_cmd_process.yml | 9 +- .../office_product_spawning_bitsadmin.yml | 9 +- .../office_product_spawning_certutil.yml | 9 +- .../office_product_spawning_mshta.yml | 9 +- ...e_product_spawning_windows_script_host.yml | 9 +- .../endpoint/office_product_spawning_wmic.yml | 7 +- ...ct_spawned_child_process_for_download.yml} | 8 +- ...indows_office_product_spawned_control.yml} | 14 +- ...> windows_office_product_spawned_msdt.yml} | 14 +- ..._product_spawned_rundll32_with_no_dll.yml} | 15 +- ...ffice_product_spawned_uncommon_process.yml | 133 ++++++++++++++++++ detections/endpoint/winword_spawning_cmd.yml | 9 +- .../endpoint/winword_spawning_powershell.yml | 9 +- .../winword_spawning_windows_script_host.yml | 9 +- macros/process_cscript.yml | 3 + macros/process_office_products.yml | 12 ++ macros/process_office_products_parent.yml | 3 + macros/process_powershell.yml | 2 +- macros/process_wscript.yml | 3 + 26 files changed, 240 insertions(+), 92 deletions(-) rename detections/endpoint/{office_document_spawned_child_process_to_download.yml => windows_office_product_spawned_child_process_for_download.yml} (89%) rename detections/endpoint/{office_spawning_control.yml => windows_office_product_spawned_control.yml} (85%) rename detections/endpoint/{windows_office_product_spawning_msdt.yml => windows_office_product_spawned_msdt.yml} (85%) rename detections/endpoint/{office_product_spawning_rundll32_with_no_dll.yml => windows_office_product_spawned_rundll32_with_no_dll.yml} (83%) create mode 100644 detections/endpoint/windows_office_product_spawned_uncommon_process.yml create mode 100644 macros/process_cscript.yml create mode 100644 macros/process_office_products.yml create mode 100644 macros/process_office_products_parent.yml create mode 100644 macros/process_wscript.yml diff --git a/detections/endpoint/detect_critical_alerts_from_security_tools.yml b/detections/endpoint/detect_critical_alerts_from_security_tools.yml index 1f4623df42..fb81228890 100644 --- a/detections/endpoint/detect_critical_alerts_from_security_tools.yml +++ b/detections/endpoint/detect_critical_alerts_from_security_tools.yml @@ -1,14 +1,14 @@ name: Detect Critical Alerts from Security Tools id: 483e8a68-f2f7-45be-8fc9-bf725f0e22fd -version: 1 -date: '2024-10-09' +version: 2 +date: '2025-01-13' author: Gowthamaraj Rajendran, Patrick Bareiss, Bhavin Patel, Bryan Pluta, Splunk -status: production +status: deprecated type: TTP data_source: - Windows Defender Alerts - MS365 Defender Incident Alerts -description: The following analytics is to detect high and critical alerts from endpoint security tools such as Microsoft Defender, Carbon Black, and Crowdstrike. This query aggregates and summarizes critical severity alerts from the Alerts data model, providing details such as the alert signature, application, description, source, destination, and timestamps, while applying custom filters and formatting for enhanced analysis in a SIEM environment.This capability allows security teams to efficiently allocate resources and maintain a strong security posture, while also supporting compliance with regulatory requirements by providing a clear record of critical security events. We tested these detections with logs from Microsoft Defender, however this detection should work for any security alerts that are ingested into the alerts data model. **Note** - We are dynamically creating the risk_score field based on the severity of the alert in the SPL and that supersedes the risk score set in the detection. +description: The following analytic has been deprecated in favour of specific and dedicated product analytics such as "Microsoft Defender ATP Alerts". The following analytic is to detect high and critical alerts from endpoint security tools such as Microsoft Defender, Carbon Black, and Crowdstrike. This query aggregates and summarizes critical severity alerts from the Alerts data model, providing details such as the alert signature, application, description, source, destination, and timestamps, while applying custom filters and formatting for enhanced analysis in a SIEM environment.This capability allows security teams to efficiently allocate resources and maintain a strong security posture, while also supporting compliance with regulatory requirements by providing a clear record of critical security events. We tested these detections with logs from Microsoft Defender, however this detection should work for any security alerts that are ingested into the alerts data model. **Note** - We are dynamically creating the risk_score field based on the severity of the alert in the SPL and that supersedes the risk score set in the detection. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Alerts.description) as description values(Alerts.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id values(Alerts.severity) as severity values(Alerts.type) as type values(Alerts.severity_id) as severity_id values(Alerts.signature) as signature values(Alerts.signature_id) as signature_id values(Alerts.dest) as dest from datamodel=Alerts where Alerts.severity IN ("high","critical") by Alerts.src Alerts.user Alerts.id Alerts.vendor sourcetype | `drop_dm_object_name("Alerts")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval risk_score=case(severity="informational", 2, severity="low", 5, severity="medium", 10, severity="high", 50, severity="critical" , 100) | `detect_critical_alerts_from_security_tools_filter`' how_to_implement: In order to properly run this search, you to ingest alerts data from other security products such as Crowdstrike, Microsoft Defender, or Carbon Black using appropriate TAs for that technology. Once ingested, the fields should be mapped to the Alerts data model. Make sure to apply transformation on the data if necessary. The risk_score field is used to calculate the risk score for the alerts and the mitre_technique_id field is used to map the alerts to the MITRE ATT&CK framework is dynamically created by the detection when this is triggered. These fields need not be set in the adaptive response actions. known_false_positives: False positives may vary by endpoint protection tool; monitor and filter out the alerts that are not relevant to your environment. diff --git a/detections/endpoint/excel_spawning_powershell.yml b/detections/endpoint/excel_spawning_powershell.yml index b5a20e1c1c..563ea6d29a 100644 --- a/detections/endpoint/excel_spawning_powershell.yml +++ b/detections/endpoint/excel_spawning_powershell.yml @@ -1,11 +1,12 @@ name: Excel Spawning PowerShell id: 42d40a22-9be3-11eb-8f08-acde48001122 -version: '6' -date: '2024-11-28' +version: 7 +date: '2025-01-13' author: Michael Haag, Splunk -status: production +status: deprecated type: TTP -description: The following analytic detects Microsoft Excel spawning PowerShell, an +description: The following analytic has been deprecated in favour of a more generic approach in "Windows Office Product Spawned Uncommon Process". + The following analytic detects Microsoft Excel spawning PowerShell, an uncommon and suspicious behavior. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where the parent process is "excel.exe" and the child process is PowerShell. This activity is significant diff --git a/detections/endpoint/excel_spawning_windows_script_host.yml b/detections/endpoint/excel_spawning_windows_script_host.yml index 6bf165787f..50d7f1336b 100644 --- a/detections/endpoint/excel_spawning_windows_script_host.yml +++ b/detections/endpoint/excel_spawning_windows_script_host.yml @@ -1,11 +1,12 @@ name: Excel Spawning Windows Script Host id: 57fe880a-9be3-11eb-9bf3-acde48001122 -version: '6' -date: '2024-11-28' +version: 7 +date: '2025-01-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies instances where Microsoft Excel spawns +description: The following analytic has been deprecated in favour of a more generic approach. + The following analytic identifies instances where Microsoft Excel spawns Windows Script Host processes (`cscript.exe` or `wscript.exe`). This behavior is detected using Endpoint Detection and Response (EDR) telemetry, focusing on process creation events where the parent process is `excel.exe`. This activity is significant diff --git a/detections/endpoint/microsoft_defender_atp_alerts.yml b/detections/endpoint/microsoft_defender_atp_alerts.yml index 20bd0b9e37..7afd85785e 100644 --- a/detections/endpoint/microsoft_defender_atp_alerts.yml +++ b/detections/endpoint/microsoft_defender_atp_alerts.yml @@ -15,7 +15,7 @@ search: ' `ms_defender_atp_alerts` (dest=* OR user=*)| eval tmp_evidence=json_ex | stats count min(_time) as firstTime max(_time) as lastTime values(fileName) as file_name values(severity) as severity values(processCommandLine) as process values(ipAddress) as ip_address values(registryKey) as registry_key values(url) as url values(mitreTechniques{}) as annotations.mitre_attack.mitre_technique_id values(signature) as signature values(user) as user values(risk_score) as risk_score by id description src | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `microsoft_defender_atp_alerts_filter`' -how_to_implement: In order to properly run this search, you need to ingest alerts data from Microsoft Defender, specifcally using the Splunk add-on for Microsoft Security. This add-on will collect alerts using the ms:defender:atp:alerts sourcetype. You will need to define the `ms_defender_atp_alerts` macro to point to the proper index that contains the ms:defender:atp:alerts sourcetype. **NOTE** - We also have a detection named `Detect Critical Alerts from Security Tools` that triggers on the same data and is written against the Alerts datamodel. Enabling both of these detections will result in duplicate risk/notable events, we recommend enabling only one of these detections. +how_to_implement: In order to properly run this search, you need to ingest alerts data from Microsoft Defender, specifcally using the Splunk add-on for Microsoft Security. This add-on will collect alerts using the ms:defender:atp:alerts sourcetype. You will need to define the `ms_defender_atp_alerts` macro to point to the proper index that contains the ms:defender:atp:alerts sourcetype. known_false_positives: False positives may vary based on Microsfot Defender configuration; monitor and filter out the alerts that are not relevant to your environment. references: - https://learn.microsoft.com/en-us/defender-xdr/api-list-incidents?view=o365-worldwide diff --git a/detections/endpoint/microsoft_defender_incident_alerts.yml b/detections/endpoint/microsoft_defender_incident_alerts.yml index 324d8b7573..986beed0d1 100644 --- a/detections/endpoint/microsoft_defender_incident_alerts.yml +++ b/detections/endpoint/microsoft_defender_incident_alerts.yml @@ -21,7 +21,7 @@ url = mvmap(tmp_filtered_mv, spath(tmp_filtered_mv, "url")) | eval tmp_filtered_mv=mvfilter(json_extract(tmp_filtered_mv, "entityType") = "File"), fileName = mvmap(tmp_filtered_mv, spath(tmp_filtered_mv, "fileName")) | eval risk_score=case(severity="informational", 5, severity="low", 15, severity="medium", 25, severity="high", 50, true(), 2) | stats count min(_time) as firstTime max(_time) as lastTime values(fileName) as file_name values(severity) as severity values(processCommandLine) as process values(ipAddress) as ip_address values(registryKey) as registry_key values(url) as url values(mitreTechniques{}) as annotations.mitre_attack.mitre_technique_id values(signature) as signature values(user) as user values(risk_score) as risk_score by id description dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `microsoft_defender_incident_alerts_filter`' -how_to_implement: In order to properly run this search, you need to ingest alerts data from Microsoft Defender, specifcally using the Splunk add-on for Microsfot Security. This add-on will collect alerts using the ms365:defender:incident:alerts sourcetype. You will need to define the `ms365_defender_incident_alerts` macro to point to the proper index that contains the ms365:defender:incident:alerts sourcetype. **NOTE** - We also have a detection named `Detect Critical Alerts from Security Tools` that triggers on the same data and is written against the Alerts datamodel. Enabling both of these detections will result in duplicate risk/notable events, we recommend enabling only one of these detections. +how_to_implement: In order to properly run this search, you need to ingest alerts data from Microsoft Defender, specifcally using the Splunk add-on for Microsfot Security. This add-on will collect alerts using the ms365:defender:incident:alerts sourcetype. You will need to define the `ms365_defender_incident_alerts` macro to point to the proper index that contains the ms365:defender:incident:alerts sourcetype. known_false_positives: False positives may vary based on Microsfot Defender configuration; monitor and filter out the alerts that are not relevant to your environment. references: - https://learn.microsoft.com/en-us/defender-xdr/api-list-incidents?view=o365-worldwide diff --git a/detections/endpoint/office_application_spawn_regsvr32_process.yml b/detections/endpoint/office_application_spawn_regsvr32_process.yml index d2a1d1f9d3..bcc5192bfa 100644 --- a/detections/endpoint/office_application_spawn_regsvr32_process.yml +++ b/detections/endpoint/office_application_spawn_regsvr32_process.yml @@ -1,11 +1,12 @@ name: Office Application Spawn Regsvr32 process id: 2d9fc90c-f11f-11eb-9300-acde48001122 -version: '7' -date: '2024-11-28' +version: 8 +date: '2025-01-13' author: Teoderick Contreras, Splunk -status: production +status: deprecated type: TTP -description: The following analytic identifies instances where an Office application +description: The following analytic has been deprecated in favour of a more generic approach in "Windows Office Product Spawned Uncommon Process". + The following analytic identifies instances where an Office application spawns a Regsvr32 process, which is often indicative of macro execution or malicious code. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where the parent process is a known Office application. diff --git a/detections/endpoint/office_application_spawn_rundll32_process.yml b/detections/endpoint/office_application_spawn_rundll32_process.yml index 9eb468df33..b4865e5899 100644 --- a/detections/endpoint/office_application_spawn_rundll32_process.yml +++ b/detections/endpoint/office_application_spawn_rundll32_process.yml @@ -1,11 +1,12 @@ name: Office Application Spawn rundll32 process id: 958751e4-9c5f-11eb-b103-acde48001122 -version: '7' -date: '2024-11-28' +version: 8 +date: '2025-01-13' author: Teoderick Contreras, Splunk -status: production +status: deprecated type: TTP -description: The following analytic identifies instances where an Office application +description: The following analytic has been deprecated in favour of a more generic approach in "Windows Office Product Spawned Uncommon Process". + The following analytic identifies instances where an Office application spawns a rundll32 process, which is often indicative of macro execution or malicious code. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where the parent process is a known Office application. diff --git a/detections/endpoint/office_product_spawn_cmd_process.yml b/detections/endpoint/office_product_spawn_cmd_process.yml index f095e1101c..a0927c1844 100644 --- a/detections/endpoint/office_product_spawn_cmd_process.yml +++ b/detections/endpoint/office_product_spawn_cmd_process.yml @@ -1,11 +1,12 @@ name: Office Product Spawn CMD Process id: b8b19420-e892-11eb-9244-acde48001122 -version: 7 -date: '2024-09-30' +version: 8 +date: '2025-01-13' author: Teoderick Contreras, Splunk -status: production +status: deprecated type: TTP -description: The following analytic detects an Office product spawning a CMD process, which is indicative of a macro executing shell commands to download or run malicious code. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process names. This activity is significant as it often signals the execution of malicious payloads, such as those seen in Trickbot spear-phishing campaigns. If confirmed malicious, this behavior could lead to unauthorized code execution, potentially compromising the system and allowing further malicious activities. +description: The following analytic has been deprecated in favour of a more generic approach in "Windows Office Product Spawned Uncommon Process". + The following analytic detects an Office product spawning a CMD process, which is indicative of a macro executing shell commands to download or run malicious code. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process names. This activity is significant as it often signals the execution of malicious payloads, such as those seen in Trickbot spear-phishing campaigns. If confirmed malicious, this behavior could lead to unauthorized code execution, potentially compromising the system and allowing further malicious activities. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 diff --git a/detections/endpoint/office_product_spawning_bitsadmin.yml b/detections/endpoint/office_product_spawning_bitsadmin.yml index 940117145d..68a8cf0052 100644 --- a/detections/endpoint/office_product_spawning_bitsadmin.yml +++ b/detections/endpoint/office_product_spawning_bitsadmin.yml @@ -1,11 +1,12 @@ name: Office Product Spawning BITSAdmin id: e8c591f4-a6d7-11eb-8cf7-acde48001122 -version: '8' -date: '2024-11-28' +version: 9 +date: '2025-01-13' author: Michael Haag, Splunk -status: production +status: deprecated type: TTP -description: The following analytic detects any Windows Office Product spawning `bitsadmin.exe`, +description: The following analytic has been deprecated in favour of a more generic approach in "Windows Office Product Spawned Uncommon Process". + The following analytic detects any Windows Office Product spawning `bitsadmin.exe`, a behavior often associated with malware families like TA551 and IcedID. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process relationships. This activity is significant because `bitsadmin.exe` diff --git a/detections/endpoint/office_product_spawning_certutil.yml b/detections/endpoint/office_product_spawning_certutil.yml index c9b7f0f134..3c131b17a7 100644 --- a/detections/endpoint/office_product_spawning_certutil.yml +++ b/detections/endpoint/office_product_spawning_certutil.yml @@ -1,11 +1,12 @@ name: Office Product Spawning CertUtil id: 6925fe72-a6d5-11eb-9e17-acde48001122 -version: '8' -date: '2024-11-28' +version: 9 +date: '2025-01-13' author: Michael Haag, Splunk -status: production +status: deprecated type: TTP -description: The following analytic detects any Windows Office Product spawning `certutil.exe`, +description: The following analytic has been deprecated in favour of a more generic approach in "Windows Office Product Spawned Uncommon Process". + The following analytic detects any Windows Office Product spawning `certutil.exe`, a behavior often associated with malware families like TA551 and IcedID. This detection leverages Endpoint Detection and Response (EDR) data, focusing on process relationships and command-line executions. The significance lies in the fact that `certutil.exe` diff --git a/detections/endpoint/office_product_spawning_mshta.yml b/detections/endpoint/office_product_spawning_mshta.yml index 2965f3c20f..727712a09b 100644 --- a/detections/endpoint/office_product_spawning_mshta.yml +++ b/detections/endpoint/office_product_spawning_mshta.yml @@ -1,11 +1,12 @@ name: Office Product Spawning MSHTA id: 6078fa20-a6d2-11eb-b662-acde48001122 -version: '7' -date: '2024-11-28' +version: 8 +date: '2025-01-13' author: Michael Haag, Splunk -status: production +status: deprecated type: TTP -description: The following analytic identifies instances where a Microsoft Office +description: The following analytic has been deprecated in favour of a more generic approach in "Windows Office Product Spawned Uncommon Process". + The following analytic identifies instances where a Microsoft Office product spawns `mshta.exe`. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where the parent process is an Office application. This activity is significant because it is a common diff --git a/detections/endpoint/office_product_spawning_windows_script_host.yml b/detections/endpoint/office_product_spawning_windows_script_host.yml index 2b93960b14..0a0e918fef 100644 --- a/detections/endpoint/office_product_spawning_windows_script_host.yml +++ b/detections/endpoint/office_product_spawning_windows_script_host.yml @@ -1,11 +1,12 @@ name: Office Product Spawning Windows Script Host id: b3628a5b-8d02-42fa-a891-eebf2351cbe1 -version: '9' -date: '2024-11-28' +version: 10 +date: '2025-01-13' author: Michael Haag, Splunk -status: production +status: deprecated type: TTP -description: The following analytic detects an Office product spawning WScript.exe +description: The following analytic has been deprecated in favour of a more generic approach in "Windows Office Product Spawned Uncommon Process". + The following analytic detects an Office product spawning WScript.exe or CScript.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where Office applications are the parent processes. This activity is significant because it may indicate the execution of potentially diff --git a/detections/endpoint/office_product_spawning_wmic.yml b/detections/endpoint/office_product_spawning_wmic.yml index c9cc9e5120..6f4941e74a 100644 --- a/detections/endpoint/office_product_spawning_wmic.yml +++ b/detections/endpoint/office_product_spawning_wmic.yml @@ -1,11 +1,12 @@ name: Office Product Spawning Wmic id: ffc236d6-a6c9-11eb-95f1-acde48001122 -version: '9' -date: '2024-11-28' +version: 10 +date: '2025-01-13' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects any Windows Office Product spawning `wmic.exe`, +description: The following analytic has been deprecated in favour of a more generic approach in "Windows Office Product Spawned Uncommon Process". + The following analytic detects any Windows Office Product spawning `wmic.exe`, specifically when the command-line of `wmic.exe` contains `wmic process call create`. This behavior is identified using data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process relationships. This activity is significant diff --git a/detections/endpoint/office_document_spawned_child_process_to_download.yml b/detections/endpoint/windows_office_product_spawned_child_process_for_download.yml similarity index 89% rename from detections/endpoint/office_document_spawned_child_process_to_download.yml rename to detections/endpoint/windows_office_product_spawned_child_process_for_download.yml index 1eef641d0b..67916f2880 100644 --- a/detections/endpoint/office_document_spawned_child_process_to_download.yml +++ b/detections/endpoint/windows_office_product_spawned_child_process_for_download.yml @@ -1,7 +1,7 @@ -name: Office Document Spawned Child Process To Download +name: Windows Office Product Spawned Child Process For Download id: 6fed27d2-9ec7-11eb-8fe4-aa665a019aa3 -version: 8 -date: '2024-09-30' +version: 9 +date: '2025-01-14' author: Teoderick Contreras, Splunk status: production type: TTP @@ -10,7 +10,7 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe","msaccess.exe", "Graph.exe","winproj.exe") Processes.process IN ("*http:*","*https:*") NOT (Processes.original_file_name IN("firefox.exe", "chrome.exe","iexplore.exe","msedge.exe")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `office_document_spawned_child_process_to_download_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe","msaccess.exe", "Graph.exe","winproj.exe") Processes.process IN ("*http:*","*https:*") NOT (Processes.original_file_name IN("firefox.exe", "chrome.exe","iexplore.exe","msedge.exe")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_office_product_spawned_child_process_for_download_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: Default browser not in the filter list. references: diff --git a/detections/endpoint/office_spawning_control.yml b/detections/endpoint/windows_office_product_spawned_control.yml similarity index 85% rename from detections/endpoint/office_spawning_control.yml rename to detections/endpoint/windows_office_product_spawned_control.yml index 9546f5e133..2bec8c5dd6 100644 --- a/detections/endpoint/office_spawning_control.yml +++ b/detections/endpoint/windows_office_product_spawned_control.yml @@ -1,7 +1,7 @@ -name: Office Spawning Control +name: Windows Office Product Spawned Control id: 053e027c-10c7-11ec-8437-acde48001122 -version: '8' -date: '2024-11-28' +version: 9 +date: '2025-01-14' author: Michael Haag, Splunk status: production type: TTP @@ -17,13 +17,7 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name - IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","wordpad.exe","wordview.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe","msaccess.exe") - Processes.process_name=control.exe by Processes.dest Processes.user Processes.parent_process_name - Processes.parent_process Processes.process_name Processes.process Processes.process_id - Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| - `security_content_ctime(lastTime)`| `office_spawning_control_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("excel.exe", "Graph.exe", "msaccess.exe", "mspub.exe", "onenote.exe", "onenoteim.exe", "onenotem.exe", "onenoteviewer.exe", "outlook.exe", "powerpnt.exe", "visio.exe", "winproj.exe", "winword.exe") Processes.process_name=control.exe by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `windows_office_product_spawned_control_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, diff --git a/detections/endpoint/windows_office_product_spawning_msdt.yml b/detections/endpoint/windows_office_product_spawned_msdt.yml similarity index 85% rename from detections/endpoint/windows_office_product_spawning_msdt.yml rename to detections/endpoint/windows_office_product_spawned_msdt.yml index d8c51b1823..99a38b7c32 100644 --- a/detections/endpoint/windows_office_product_spawning_msdt.yml +++ b/detections/endpoint/windows_office_product_spawned_msdt.yml @@ -1,7 +1,7 @@ -name: Windows Office Product Spawning MSDT +name: Windows Office Product Spawned MSDT id: 127eba64-c981-40bf-8589-1830638864a7 -version: '8' -date: '2024-11-28' +version: 0 +date: '2025-01-14' author: Michael Haag, Teoderick Contreras, Splunk status: production type: TTP @@ -17,13 +17,7 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name - IN ("winword.exe","excel.exe","powerpnt.exe","outlook.exe","mspub.exe","visio.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe","msaccess.exe") - Processes.process_name=msdt.exe by Processes.dest Processes.user Processes.parent_process_name - Processes.parent_process Processes.process_name Processes.original_file_name Processes.process - Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_office_product_spawning_msdt_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("excel.exe", "Graph.exe", "msaccess.exe", "mspub.exe", "onenote.exe", "onenoteim.exe", "onenotem.exe", "onenoteviewer.exe", "outlook.exe", "powerpnt.exe", "visio.exe", "winproj.exe", "winword.exe") Processes.process_name=msdt.exe by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_office_product_spawned_msdt_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, diff --git a/detections/endpoint/office_product_spawning_rundll32_with_no_dll.yml b/detections/endpoint/windows_office_product_spawned_rundll32_with_no_dll.yml similarity index 83% rename from detections/endpoint/office_product_spawning_rundll32_with_no_dll.yml rename to detections/endpoint/windows_office_product_spawned_rundll32_with_no_dll.yml index 794babfd6f..15b754c31b 100644 --- a/detections/endpoint/office_product_spawning_rundll32_with_no_dll.yml +++ b/detections/endpoint/windows_office_product_spawned_rundll32_with_no_dll.yml @@ -1,7 +1,7 @@ -name: Office Product Spawning Rundll32 with no DLL +name: Windows Office Product Spawned Rundll32 With No DLL id: c661f6be-a38c-11eb-be57-acde48001122 -version: '8' -date: '2024-11-28' +version: 9 +date: '2025-01-14' author: Michael Haag, Splunk status: production type: TTP @@ -17,14 +17,7 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name - IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe", - "msaccess.exe", "Graph.exe","winproj.exe") `process_rundll32` (Processes.process!=*.dll*) - by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process - Processes.process_name Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` - | `office_product_spawning_rundll32_with_no_dll_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name ("excel.exe", "Graph.exe", "msaccess.exe", "mspub.exe", "onenote.exe", "onenoteim.exe", "onenotem.exe", "onenoteviewer.exe", "outlook.exe", "powerpnt.exe", "visio.exe", "winproj.exe", "winword.exe") `process_rundll32` (Processes.process!=*.dll*) by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_office_product_spawned_rundll32_with_no_dll_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, diff --git a/detections/endpoint/windows_office_product_spawned_uncommon_process.yml b/detections/endpoint/windows_office_product_spawned_uncommon_process.yml new file mode 100644 index 0000000000..fe3b519c03 --- /dev/null +++ b/detections/endpoint/windows_office_product_spawned_uncommon_process.yml @@ -0,0 +1,133 @@ +name: Windows Office Product Spawned Uncommon Process +id: 55d8741c-fa32-4692-8109-410304961eb8 +version: 1 +date: '2025-01-13' +author: Michael Haag, Teoderick Contreras, Splunk +status: production +type: TTP +description: The following analytic detects a Microsoft Office product spawning uncommon processes. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where Office applications are the parent process. This activity is significant as it may indicate an attempt of a malicious macro execution or exploitation of an unknown vulnerability in an office product, in order to bypass security controls. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network. +data_source: +- Sysmon EventID 1 +- Windows Event Log Security 4688 +- CrowdStrike ProcessRollup2 +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("excel.exe", "Graph.exe", "msaccess.exe", "mspub.exe", "onenote.exe", "onenoteim.exe", "onenotem.exe", "onenoteviewer.exe", "outlook.exe", "powerpnt.exe", "visio.exe", "winproj.exe", "winword.exe") AND (`process_bitsadmin` OR `process_certutil` OR `process_cmd` OR `process_cscript` OR `process_mshta` OR `process_powershell` OR `process_regsvr32` OR `process_rundll32` OR `process_wmic` OR `process_wscript`) by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_office_product_spawned_uncommon_process_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: False positives should be limited, however filter as needed. +references: +- https://any.run/malware-trends/trickbot +- https://any.run/report/47561b4e949041eff0a0f4693c59c81726591779fe21183ae9185b5eb6a69847/aba3722a-b373-4dae-8273-8730fb40cdbe +- https://app.any.run/tasks/fb894ab8-a966-4b72-920b-935f41756afd/ +- https://attack.mitre.org/techniques/T1047/ +- https://bazaar.abuse.ch/sample/02cbc1ab80695fc12ff8822b926957c3a600247b9ca412a137f69cb5716c8781/ +- https://blog.cluster25.duskrise.com/2022/09/23/in-the-footsteps-of-the-fancy-bear-powerpoint-graphite/ +- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md +- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md +- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md +- https://redcanary.com/threat-detection-report/threats/TA551/ +- https://twitter.com/cyb3rops/status/1416050325870587910?s=21 +- https://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing +- https://www.joesandbox.com/analysis/380662/0/html +- https://www.joesandbox.com/analysis/702680/0/html +- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/ +drilldown_searches: +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - AgentTesla + - Azorult + - Compromised Windows Host + - CVE-2023-21716 Word RTF Heap Corruption + - CVE-2023-36884 Office and Windows HTML RCE Vulnerability + - DarkCrystal RAT + - FIN7 + - IcedID + - NjRAT + - PlugX + - Qakbot + - Remcos + - Spearphishing Attachments + - Trickbot + - Warzone RAT + asset_type: Endpoint + confidence: 100 + impact: 100 + message: Office process $parent_process_name$ spawned a potentially suspicious child + process $process_name$ with process id $process_id$ in host $dest$ + mitre_attack_id: + - T1566 + - T1566.001 + observable: + - name: user + type: User + role: + - Victim + - name: dest + type: Hostname + role: + - Victim + - name: parent_process_name + type: Process + role: + - Attacker + - name: process_name + type: Process + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - Processes.dest + - Processes.user + - Processes.parent_process_name + - Processes.parent_process + - Processes.original_file_name + - Processes.process_name + - Processes.process + - Processes.process_id + - Processes.parent_process_path + - Processes.process_path + - Processes.parent_process_id + risk_score: 100 + security_domain: endpoint +tests: +- name: True Positive Test - Macro + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/windows-sysmon_macros.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/datasets/windows-sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog +- name: True Positive Test - IcedId + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/phish_icedid/windows-sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.002/atomic_red_team/windows-sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog + update_timestamp: true +- name: True Positive Test - TrickBot + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/spear_phish/windows-sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/winword_spawning_cmd.yml b/detections/endpoint/winword_spawning_cmd.yml index 0379596615..ea5336cf1b 100644 --- a/detections/endpoint/winword_spawning_cmd.yml +++ b/detections/endpoint/winword_spawning_cmd.yml @@ -1,11 +1,12 @@ name: Winword Spawning Cmd id: 6fcbaedc-a37b-11eb-956b-acde48001122 -version: '6' -date: '2024-11-28' +version: 7 +date: '2025-01-13' author: Michael Haag, Splunk -status: production +status: deprecated type: TTP -description: The following analytic identifies instances where Microsoft Word (winword.exe) +description: The following analytic has been deprecated in favour of a more generic approach in "Windows Office Product Spawned Uncommon Process". + The following analytic identifies instances where Microsoft Word (winword.exe) spawns the command prompt (cmd.exe). This behavior is detected using Endpoint Detection and Response (EDR) telemetry, focusing on process creation events where the parent process is winword.exe. This activity is significant because it is uncommon and diff --git a/detections/endpoint/winword_spawning_powershell.yml b/detections/endpoint/winword_spawning_powershell.yml index 001d2338b3..91d719d427 100644 --- a/detections/endpoint/winword_spawning_powershell.yml +++ b/detections/endpoint/winword_spawning_powershell.yml @@ -1,11 +1,12 @@ name: Winword Spawning PowerShell id: b2c950b8-9be2-11eb-8658-acde48001122 -version: '6' -date: '2024-11-28' +version: 7 +date: '2025-01-13' author: Michael Haag, Splunk -status: production +status: deprecated type: TTP -description: The following analytic identifies instances where Microsoft Word (winword.exe) +description: The following analytic has been deprecated in favour of a more generic approach in "Windows Office Product Spawned Uncommon Process". + The following analytic identifies instances where Microsoft Word (winword.exe) spawns a PowerShell process. This behavior is detected using Endpoint Detection and Response (EDR) telemetry, focusing on process creation events where the parent process is winword.exe. This activity is significant because it is uncommon and diff --git a/detections/endpoint/winword_spawning_windows_script_host.yml b/detections/endpoint/winword_spawning_windows_script_host.yml index 6ac533acc8..52d3046d40 100644 --- a/detections/endpoint/winword_spawning_windows_script_host.yml +++ b/detections/endpoint/winword_spawning_windows_script_host.yml @@ -1,11 +1,12 @@ name: Winword Spawning Windows Script Host id: 637e1b5c-9be1-11eb-9c32-acde48001122 -version: '5' -date: '2024-11-28' +version: 6 +date: '2025-01-13' author: Michael Haag, Splunk -status: production +status: deprecated type: TTP -description: The following analytic identifies instances where Microsoft Winword.exe +description: The following analytic has been deprecated in favour of a more generic approach. + The following analytic identifies instances where Microsoft Winword.exe spawns Windows Script Host processes (cscript.exe or wscript.exe). This behavior is detected using Endpoint Detection and Response (EDR) telemetry, focusing on process creation events where the parent process is Winword.exe. This activity is significant diff --git a/macros/process_cscript.yml b/macros/process_cscript.yml new file mode 100644 index 0000000000..ea60a34a73 --- /dev/null +++ b/macros/process_cscript.yml @@ -0,0 +1,3 @@ +definition: (Processes.process_name=cscript.exe OR Processes.original_file_name=cscript.exe) +description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/ +name: process_cscript diff --git a/macros/process_office_products.yml b/macros/process_office_products.yml new file mode 100644 index 0000000000..c5ad1f758c --- /dev/null +++ b/macros/process_office_products.yml @@ -0,0 +1,12 @@ +definition: (Processes.process_name=ping.exe OR Processes.original_file_name=ping.exe) +description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/ +name: process_office_products + + +("excel.exe", "Graph.exe", "msaccess.exe", "mspub.exe", "onenote.exe", "onenoteim.exe", "onenotem.exe", "onenoteviewer.exe", "outlook.exe", "powerpnt.exe", "visio.exe", "winproj.exe", "winword.exe") + +(Processes.parent_process_name IN ("excel.exe", "Graph.exe", "msaccess.exe", "mspub.exe", "onenote.exe", "onenoteim.exe", "onenotem.exe", "onenoteviewer.exe", "outlook.exe", "powerpnt.exe", "visio.exe", "winproj.exe", "winword.exe")) + + +Processes.process_name +Processes.original_file_name \ No newline at end of file diff --git a/macros/process_office_products_parent.yml b/macros/process_office_products_parent.yml new file mode 100644 index 0000000000..fd0277400d --- /dev/null +++ b/macros/process_office_products_parent.yml @@ -0,0 +1,3 @@ +definition: (Processes.parent_process_name IN ("excel.exe", "Graph.exe", "msaccess.exe", "mspub.exe", "onenote.exe", "onenoteim.exe", "onenotem.exe", "onenoteviewer.exe", "outlook.exe", "powerpnt.exe", "visio.exe", "winproj.exe", "winword.exe")) +description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/ +name: process_office_products_parent \ No newline at end of file diff --git a/macros/process_powershell.yml b/macros/process_powershell.yml index e90bfb853e..f5b56bebd7 100644 --- a/macros/process_powershell.yml +++ b/macros/process_powershell.yml @@ -1,3 +1,3 @@ -definition: (Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE) +definition: (Processes.process_name=pwsh.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE) description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/ name: process_powershell \ No newline at end of file diff --git a/macros/process_wscript.yml b/macros/process_wscript.yml new file mode 100644 index 0000000000..2ec5d68963 --- /dev/null +++ b/macros/process_wscript.yml @@ -0,0 +1,3 @@ +definition: (Processes.process_name=wscript.exe OR Processes.original_file_name=wscript.exe) +description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/ +name: process_wscript From 4f16cb3115ee2786cdf927c709217245d9744b60 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Tue, 14 Jan 2025 20:02:52 +0100 Subject: [PATCH 05/37] update office macro --- ...e_product_spawned_child_process_for_download.yml | 2 +- .../windows_office_product_spawned_control.yml | 2 +- .../windows_office_product_spawned_msdt.yml | 2 +- ..._office_product_spawned_rundll32_with_no_dll.yml | 2 +- ...dows_office_product_spawned_uncommon_process.yml | 2 +- macros/process_office_products.yml | 13 ++----------- macros/process_office_products_parent.yml | 2 +- 7 files changed, 8 insertions(+), 17 deletions(-) diff --git a/detections/endpoint/windows_office_product_spawned_child_process_for_download.yml b/detections/endpoint/windows_office_product_spawned_child_process_for_download.yml index 67916f2880..05cd8c0c25 100644 --- a/detections/endpoint/windows_office_product_spawned_child_process_for_download.yml +++ b/detections/endpoint/windows_office_product_spawned_child_process_for_download.yml @@ -10,7 +10,7 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe","msaccess.exe", "Graph.exe","winproj.exe") Processes.process IN ("*http:*","*https:*") NOT (Processes.original_file_name IN("firefox.exe", "chrome.exe","iexplore.exe","msedge.exe")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_office_product_spawned_child_process_for_download_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_office_products_parent` Processes.process IN ("*http:*","*https:*") NOT (Processes.original_file_name IN("firefox.exe", "chrome.exe","iexplore.exe","msedge.exe")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_office_product_spawned_child_process_for_download_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: Default browser not in the filter list. references: diff --git a/detections/endpoint/windows_office_product_spawned_control.yml b/detections/endpoint/windows_office_product_spawned_control.yml index 2bec8c5dd6..e69030ff03 100644 --- a/detections/endpoint/windows_office_product_spawned_control.yml +++ b/detections/endpoint/windows_office_product_spawned_control.yml @@ -17,7 +17,7 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("excel.exe", "Graph.exe", "msaccess.exe", "mspub.exe", "onenote.exe", "onenoteim.exe", "onenotem.exe", "onenoteviewer.exe", "outlook.exe", "powerpnt.exe", "visio.exe", "winproj.exe", "winword.exe") Processes.process_name=control.exe by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `windows_office_product_spawned_control_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_office_products_parent` Processes.process_name=control.exe by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `windows_office_product_spawned_control_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, diff --git a/detections/endpoint/windows_office_product_spawned_msdt.yml b/detections/endpoint/windows_office_product_spawned_msdt.yml index 99a38b7c32..0f67d0dab1 100644 --- a/detections/endpoint/windows_office_product_spawned_msdt.yml +++ b/detections/endpoint/windows_office_product_spawned_msdt.yml @@ -17,7 +17,7 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("excel.exe", "Graph.exe", "msaccess.exe", "mspub.exe", "onenote.exe", "onenoteim.exe", "onenotem.exe", "onenoteviewer.exe", "outlook.exe", "powerpnt.exe", "visio.exe", "winproj.exe", "winword.exe") Processes.process_name=msdt.exe by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_office_product_spawned_msdt_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_office_products_parent` Processes.process_name=msdt.exe by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_office_product_spawned_msdt_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, diff --git a/detections/endpoint/windows_office_product_spawned_rundll32_with_no_dll.yml b/detections/endpoint/windows_office_product_spawned_rundll32_with_no_dll.yml index 15b754c31b..53b0bfcd5c 100644 --- a/detections/endpoint/windows_office_product_spawned_rundll32_with_no_dll.yml +++ b/detections/endpoint/windows_office_product_spawned_rundll32_with_no_dll.yml @@ -17,7 +17,7 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name ("excel.exe", "Graph.exe", "msaccess.exe", "mspub.exe", "onenote.exe", "onenoteim.exe", "onenotem.exe", "onenoteviewer.exe", "outlook.exe", "powerpnt.exe", "visio.exe", "winproj.exe", "winword.exe") `process_rundll32` (Processes.process!=*.dll*) by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_office_product_spawned_rundll32_with_no_dll_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_office_products_parent` `process_rundll32` (Processes.process!=*.dll*) by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_office_product_spawned_rundll32_with_no_dll_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, diff --git a/detections/endpoint/windows_office_product_spawned_uncommon_process.yml b/detections/endpoint/windows_office_product_spawned_uncommon_process.yml index fe3b519c03..6ff3bac2c6 100644 --- a/detections/endpoint/windows_office_product_spawned_uncommon_process.yml +++ b/detections/endpoint/windows_office_product_spawned_uncommon_process.yml @@ -10,7 +10,7 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("excel.exe", "Graph.exe", "msaccess.exe", "mspub.exe", "onenote.exe", "onenoteim.exe", "onenotem.exe", "onenoteviewer.exe", "outlook.exe", "powerpnt.exe", "visio.exe", "winproj.exe", "winword.exe") AND (`process_bitsadmin` OR `process_certutil` OR `process_cmd` OR `process_cscript` OR `process_mshta` OR `process_powershell` OR `process_regsvr32` OR `process_rundll32` OR `process_wmic` OR `process_wscript`) by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_office_product_spawned_uncommon_process_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_office_products_parent` AND (`process_bitsadmin` OR `process_certutil` OR `process_cmd` OR `process_cscript` OR `process_mshta` OR `process_powershell` OR `process_regsvr32` OR `process_rundll32` OR `process_wmic` OR `process_wscript`) by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_office_product_spawned_uncommon_process_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: False positives should be limited, however filter as needed. references: diff --git a/macros/process_office_products.yml b/macros/process_office_products.yml index c5ad1f758c..d161fca52c 100644 --- a/macros/process_office_products.yml +++ b/macros/process_office_products.yml @@ -1,12 +1,3 @@ -definition: (Processes.process_name=ping.exe OR Processes.original_file_name=ping.exe) +definition: (Processes.process_name IN ("EQNEDT32.exe", "excel.exe", "Graph.exe", "msaccess.exe", "mspub.exe", "onenote.exe", "onenoteim.exe", "onenotem.exe", "outlook.exe", "powerpnt.exe", "visio.exe", "winproj.exe", "winword.exe") OR Processes.original_file_name IN ("EQNEDT32.EXE", "Excel.exe", "Graph.exe", "MSACCESS.EXE", "MSPUB.EXE", "OneNote.exe", "OneNoteIm.exe", "OneNoteM.exe", "OUTLOOK.EXE", "POWERPNT.EXE", "VISIO.EXE", "WinProj.exe", "WinWord.exe")) description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/ -name: process_office_products - - -("excel.exe", "Graph.exe", "msaccess.exe", "mspub.exe", "onenote.exe", "onenoteim.exe", "onenotem.exe", "onenoteviewer.exe", "outlook.exe", "powerpnt.exe", "visio.exe", "winproj.exe", "winword.exe") - -(Processes.parent_process_name IN ("excel.exe", "Graph.exe", "msaccess.exe", "mspub.exe", "onenote.exe", "onenoteim.exe", "onenotem.exe", "onenoteviewer.exe", "outlook.exe", "powerpnt.exe", "visio.exe", "winproj.exe", "winword.exe")) - - -Processes.process_name -Processes.original_file_name \ No newline at end of file +name: process_office_products \ No newline at end of file diff --git a/macros/process_office_products_parent.yml b/macros/process_office_products_parent.yml index fd0277400d..c4cd308613 100644 --- a/macros/process_office_products_parent.yml +++ b/macros/process_office_products_parent.yml @@ -1,3 +1,3 @@ -definition: (Processes.parent_process_name IN ("excel.exe", "Graph.exe", "msaccess.exe", "mspub.exe", "onenote.exe", "onenoteim.exe", "onenotem.exe", "onenoteviewer.exe", "outlook.exe", "powerpnt.exe", "visio.exe", "winproj.exe", "winword.exe")) +definition: (Processes.parent_process_name IN ("EQNEDT32.exe", "excel.exe", "Graph.exe", "msaccess.exe", "mspub.exe", "onenote.exe", "onenoteim.exe", "onenotem.exe", "outlook.exe", "powerpnt.exe", "visio.exe", "winproj.exe", "winword.exe")) description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/ name: process_office_products_parent \ No newline at end of file From 082368e86dde0ce5b22e03a87fa75a0b0b652856 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Wed, 15 Jan 2025 15:55:16 +0100 Subject: [PATCH 06/37] update reg analytics --- ...dential_dump_from_registry_via_reg_exe.yml | 9 ++++--- ...ows_registry_entries_exported_via_reg.yml} | 6 ++--- ...ows_registry_entries_restored_via_reg.yml} | 8 +++--- ...ve_registry_hive_dump_via_commandline.yml} | 27 ++++++++++++------- macros/process_regedit.yml | 3 +++ 5 files changed, 33 insertions(+), 20 deletions(-) rename detections/endpoint/{windows_query_registry_reg_save.yml => windows_registry_entries_exported_via_reg.yml} (71%) rename detections/endpoint/{windows_modify_registry_reg_restore.yml => windows_registry_entries_restored_via_reg.yml} (85%) rename detections/endpoint/{extraction_of_registry_hives.yml => windows_sensitive_registry_hive_dump_via_commandline.yml} (74%) create mode 100644 macros/process_regedit.yml diff --git a/detections/endpoint/attempted_credential_dump_from_registry_via_reg_exe.yml b/detections/endpoint/attempted_credential_dump_from_registry_via_reg_exe.yml index 0c3559dd49..bf4321d0a1 100644 --- a/detections/endpoint/attempted_credential_dump_from_registry_via_reg_exe.yml +++ b/detections/endpoint/attempted_credential_dump_from_registry_via_reg_exe.yml @@ -1,11 +1,12 @@ name: Attempted Credential Dump From Registry via Reg exe id: e9fb4a59-c5fb-440a-9f24-191fbc6b2911 -version: '11' -date: '2024-11-28' +version: 12 +date: '2025-01-15' author: Patrick Bareiss, Splunk -status: production +status: deprecated type: TTP -description: The following analytic detects the execution of reg.exe with parameters +description: The following analytic has been deprecated in favour of "8bbb7d58-b360-11eb-ba21-acde48001122". + The following analytic detects the execution of reg.exe with parameters that export registry keys containing hashed credentials. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving reg.exe or cmd.exe with specific registry paths. This activity is significant diff --git a/detections/endpoint/windows_query_registry_reg_save.yml b/detections/endpoint/windows_registry_entries_exported_via_reg.yml similarity index 71% rename from detections/endpoint/windows_query_registry_reg_save.yml rename to detections/endpoint/windows_registry_entries_exported_via_reg.yml index 62d4a5536e..ebdf080905 100644 --- a/detections/endpoint/windows_query_registry_reg_save.yml +++ b/detections/endpoint/windows_registry_entries_exported_via_reg.yml @@ -1,16 +1,16 @@ -name: Windows Query Registry Reg Save +name: Windows Registry Entries Exported Via Reg id: cbee60c1-b776-456f-83c2-faa56bdbe6c6 version: 3 date: '2024-10-17' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects the execution of the reg.exe process with the "save" parameter. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant because threat actors often use the "reg save" command to dump credentials or test registry modification capabilities on compromised hosts. If confirmed malicious, this behavior could allow attackers to escalate privileges, persist in the environment, or access sensitive information stored in the registry. +description: The following analytic detects the execution of the reg.exe process with either the "save" or "export" parameters. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant because threat actors often use the "reg save" or "reg export" command to dump credentials or test registry modification capabilities on compromised hosts. If confirmed malicious, this behavior could allow attackers to escalate privileges, persist in the environment, or access sensitive information stored in the registry. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process = "* save *" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_query_registry_reg_save_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process IN ("* save *", "* export *") by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_registry_entries_exported_via_reg_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: network administrator can use this command tool to backup registry before updates or modifying critical registries. references: diff --git a/detections/endpoint/windows_modify_registry_reg_restore.yml b/detections/endpoint/windows_registry_entries_restored_via_reg.yml similarity index 85% rename from detections/endpoint/windows_modify_registry_reg_restore.yml rename to detections/endpoint/windows_registry_entries_restored_via_reg.yml index 5e6a9ed246..a443300194 100644 --- a/detections/endpoint/windows_modify_registry_reg_restore.yml +++ b/detections/endpoint/windows_registry_entries_restored_via_reg.yml @@ -1,7 +1,7 @@ -name: Windows Modify Registry Reg Restore +name: Windows Registry Entries Restored Via Reg id: d0072bd2-6d73-4c1b-bc77-ded6d2da3a4e -version: 3 -date: '2024-10-17' +version: 4 +date: '2025-01-14' author: Teoderick Contreras, Splunk status: production type: Hunting @@ -10,7 +10,7 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process = "* restore *" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_reg_restore_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process = "* restore *" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_registry_entries_restored_via_reg_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: network administrator can use this command tool to backup registry before updates or modifying critical registries. references: diff --git a/detections/endpoint/extraction_of_registry_hives.yml b/detections/endpoint/windows_sensitive_registry_hive_dump_via_commandline.yml similarity index 74% rename from detections/endpoint/extraction_of_registry_hives.yml rename to detections/endpoint/windows_sensitive_registry_hive_dump_via_commandline.yml index ae858df02b..777938da61 100644 --- a/detections/endpoint/extraction_of_registry_hives.yml +++ b/detections/endpoint/windows_sensitive_registry_hive_dump_via_commandline.yml @@ -1,8 +1,8 @@ -name: Extraction of Registry Hives +name: Windows Sensitive Registry Hive Dump Via CommandLine id: 8bbb7d58-b360-11eb-ba21-acde48001122 -version: 4 -date: '2024-09-30' -author: Michael Haag, Splunk +version: 5 +date: '2025-01-15' +author: Michael Haag, Patrick Bareiss, Nasreddine Bencherchali, Splunk status: production type: TTP description: The following analytic detects the use of `reg.exe` to export Windows Registry hives, which may contain sensitive credentials. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving `save` or `export` actions targeting the `sam`, `system`, or `security` hives. This activity is significant as it indicates potential offline credential access attacks, often executed from untrusted processes or scripts. If confirmed malicious, attackers could gain access to credential data, enabling further compromise and lateral movement within the network. @@ -10,7 +10,7 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` (Processes.process=*save* OR Processes.process=*export*) AND (Processes.process="*\sam *" OR Processes.process="*\system *" OR Processes.process="*\security *") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `extraction_of_registry_hives_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where ((`process_reg` AND (Processes.process=*save* OR Processes.process=*export*)) OR (`process_regedit` Processes.process IN ("*/E *", "*-E *"))) AND (Processes.process="*HKEY_LOCAL_MACHINE*" OR Processes.process="*HKLM*") AND (Processes.process="*\sam*" OR Processes.process="*\system*" OR Processes.process="*\security*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_sensitive_registry_hive_dump_via_commandline_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: It is possible some agent based products will generate false positives. Filter as needed. references: @@ -28,15 +28,19 @@ drilldown_searches: latest_offset: $info_max_time$ tags: analytic_story: - - Volt Typhoon - - Credential Dumping + - CISA AA22-257A - CISA AA23-347A + - Compromised Windows Host + - Credential Dumping - DarkSide Ransomware - - CISA AA22-257A + - Data Destruction + - Industroyer2 + - Volt Typhoon + - Windows Registry Abuse asset_type: Endpoint confidence: 70 impact: 80 - message: Suspicious use of `reg.exe` exporting Windows Registry hives containing credentials executed on $dest$ by user $user$, with a parent process of $parent_process_id$ + message: Suspicious use of `reg.exe` or `regedit.exe` to export sensitive registry hives that could potentially contain credentials, executed on $dest$ by user $user$, with a parent process of $parent_process_name$ mitre_attack_id: - T1003.002 - T1003 @@ -78,3 +82,8 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/atomic_red_team/crowdstrike_falcon.log + source: crowdstrike + sourcetype: crowdstrike:events:sensor diff --git a/macros/process_regedit.yml b/macros/process_regedit.yml new file mode 100644 index 0000000000..c611ec65d8 --- /dev/null +++ b/macros/process_regedit.yml @@ -0,0 +1,3 @@ +definition: (Processes.process_name=regedit.exe OR Processes.original_file_name=REGEDIT.exe) +description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/ +name: process_regedit From c91f76b9ab7c0c09f038ca00eb25b677653cf772 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Wed, 15 Jan 2025 15:55:51 +0100 Subject: [PATCH 07/37] Update windows_registry_entries_exported_via_reg.yml --- .../endpoint/windows_registry_entries_exported_via_reg.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/detections/endpoint/windows_registry_entries_exported_via_reg.yml b/detections/endpoint/windows_registry_entries_exported_via_reg.yml index ebdf080905..b8bc479897 100644 --- a/detections/endpoint/windows_registry_entries_exported_via_reg.yml +++ b/detections/endpoint/windows_registry_entries_exported_via_reg.yml @@ -1,7 +1,7 @@ name: Windows Registry Entries Exported Via Reg id: cbee60c1-b776-456f-83c2-faa56bdbe6c6 -version: 3 -date: '2024-10-17' +version: 4 +date: '2025-01-15' author: Teoderick Contreras, Splunk status: production type: Hunting From 8ce3783394d06ea752b93247c3b861be26d8910b Mon Sep 17 00:00:00 2001 From: Michael Haag <5632822+MHaggis@users.noreply.github.com> Date: Thu, 16 Jan 2025 10:02:05 -0700 Subject: [PATCH 08/37] Update windows_exchange_autodiscover_ssrf_abuse.yml - Updated detection description to better explain ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) and ProxyNotShell (CVE-2022-41040, CVE-2022-41082) attack patterns - Enhanced search query: - X-Rps-CAT parameter - Suspicious user agent strings --- ...ndows_exchange_autodiscover_ssrf_abuse.yml | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/detections/web/windows_exchange_autodiscover_ssrf_abuse.yml b/detections/web/windows_exchange_autodiscover_ssrf_abuse.yml index 233ca0702a..92afbf59eb 100644 --- a/detections/web/windows_exchange_autodiscover_ssrf_abuse.yml +++ b/detections/web/windows_exchange_autodiscover_ssrf_abuse.yml @@ -1,14 +1,24 @@ name: Windows Exchange Autodiscover SSRF Abuse id: d436f9e7-0ee7-4a47-864b-6dea2c4e2752 -version: 3 -date: '2024-09-30' +version: 4 +date: '2025-01-16' author: Michael Haag, Nathaniel Stearns, Splunk status: production type: TTP -description: The following analytic detects potential abuse of the ProxyShell or ProxyNotShell vulnerabilities in Microsoft Exchange via Server Side Request Forgery (SSRF). It leverages the Web datamodel to identify suspicious POST requests with specific URI paths and queries related to autodiscover, powershell, and mapi. This activity is significant as it may indicate an attempt to exploit Exchange server vulnerabilities to access internal services or sensitive data. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or further compromise of the network. +description: This analytic identifies potential exploitation attempts of ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) and ProxyNotShell (CVE-2022-41040, CVE-2022-41082) vulnerabilities in Microsoft Exchange Server. The detection focuses on identifying the SSRF attack patterns used in these exploit chains. The analytic monitors for suspicious POST requests to /autodiscover/autodiscover.json endpoints that may indicate attempts to enumerate LegacyDN attributes as part of initial reconnaissance. It also detects requests containing X-Rps-CAT parameters that could indicate attempts to impersonate Exchange users and access the PowerShell backend. Additionally, it looks for MAPI requests that may be used to obtain user SIDs, along with suspicious user agents (particularly Python-based) commonly used in automated exploit attempts. If successful, these attacks can lead to remote code execution as SYSTEM, allowing attackers to deploy webshells, access mailboxes, or gain persistent access to the Exchange server and potentially the broader network environment. data_source: - Windows IIS -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where (Web.status=200 OR Web.status=302 OR Web.status=401) AND Web.http_method=POST by Web.src Web.status Web.uri_path Web.dest Web.http_method Web.uri_query | `drop_dm_object_name("Web")` | eval is_autodiscover=if(like(lower(uri_path),"%autodiscover%"),1,0) | eval powershell = if(match(lower(uri_query),"powershell"), "1",0) | eval mapi=if(like(uri_query,"%/mapi/%"),1,0) | addtotals fieldname=Score is_autodiscover, powershell, mapi | fields Score, src,dest, status, uri_query,uri_path,http_method | where Score >= 2 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_exchange_autodiscover_ssrf_abuse_filter`' +search: ' | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where (Web.status=200) AND Web.http_method=POST by Web.src Web.status Web.uri_path Web.dest Web.http_method Web.uri_query Web.http_user_agent + | `drop_dm_object_name("Web")` + | eval is_autodiscover=if(like(lower(uri_path),"%autodiscover/autodiscover.json%"),1,0) + | eval has_rps_cat=if(like(lower(uri_query),"%x-rps-cat=%"),1,0) + | eval exchange_backend=if(like(lower(uri_query),"%/powershell/?%"),1,0) + | eval mapi=if(like(uri_query,"%/mapi/%"),1,0) + | eval suspicious_agent=if(match(lower(http_user_agent), "python|urllib"),1,0) + | addtotals fieldname=Score is_autodiscover, has_rps_cat, exchange_backend, mapi, suspicious_agent + | where Score >= 3 + | fields Score, src, dest, status, uri_query, uri_path, http_method, http_user_agent + | `windows_exchange_autodiscover_ssrf_abuse_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on Web traffic, Exchange OR IIS logs, mapped to `Web` datamodel in the `Web` node. In addition, confirm the latest CIM App 4.20 or higher is installed. known_false_positives: False positives are limited. references: @@ -21,6 +31,7 @@ references: - https://docs.splunk.com/Documentation/AddOns/released/MSIIS - https://highon.coffee/blog/ssrf-cheat-sheet/ - https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/ +- https://m365internals.com/2022/10/18/hunting-and-responding-to-proxyshell-attacks/ drilldown_searches: - name: View the detection results for - "$dest$" search: '%original_detection_search% | search dest = "$dest$"' From aa6a3f340a71eb12cc4b6af6454e6d2f77eb5592 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Thu, 16 Jan 2025 23:03:54 +0100 Subject: [PATCH 09/37] move to deprecated --- .../{endpoint => deprecated}/account_discovery_with_net_app.yml | 0 .../attempted_credential_dump_from_registry_via_reg_exe.yml | 0 .../detect_critical_alerts_from_security_tools.yml | 0 .../domain_account_discovery_with_net_app.yml | 0 .../{endpoint => deprecated}/domain_group_discovery_with_net.yml | 0 detections/{endpoint => deprecated}/excel_spawning_powershell.yml | 0 detections/{endpoint => deprecated}/net_localgroup_discovery.yml | 0 .../office_application_spawn_regsvr32_process.yml | 0 .../office_application_spawn_rundll32_process.yml | 0 .../{endpoint => deprecated}/office_product_spawn_cmd_process.yml | 0 .../office_product_spawning_bitsadmin.yml | 0 .../{endpoint => deprecated}/office_product_spawning_certutil.yml | 0 .../{endpoint => deprecated}/office_product_spawning_mshta.yml | 0 .../office_product_spawning_windows_script_host.yml | 0 .../{endpoint => deprecated}/remote_system_discovery_with_net.yml | 0 detections/{endpoint => deprecated}/winword_spawning_cmd.yml | 0 .../{endpoint => deprecated}/winword_spawning_powershell.yml | 0 .../winword_spawning_windows_script_host.yml | 0 18 files changed, 0 insertions(+), 0 deletions(-) rename detections/{endpoint => deprecated}/account_discovery_with_net_app.yml (100%) rename detections/{endpoint => deprecated}/attempted_credential_dump_from_registry_via_reg_exe.yml (100%) rename detections/{endpoint => deprecated}/detect_critical_alerts_from_security_tools.yml (100%) rename detections/{endpoint => deprecated}/domain_account_discovery_with_net_app.yml (100%) rename detections/{endpoint => deprecated}/domain_group_discovery_with_net.yml (100%) rename detections/{endpoint => deprecated}/excel_spawning_powershell.yml (100%) rename detections/{endpoint => deprecated}/net_localgroup_discovery.yml (100%) rename detections/{endpoint => deprecated}/office_application_spawn_regsvr32_process.yml (100%) rename detections/{endpoint => deprecated}/office_application_spawn_rundll32_process.yml (100%) rename detections/{endpoint => deprecated}/office_product_spawn_cmd_process.yml (100%) rename detections/{endpoint => deprecated}/office_product_spawning_bitsadmin.yml (100%) rename detections/{endpoint => deprecated}/office_product_spawning_certutil.yml (100%) rename detections/{endpoint => deprecated}/office_product_spawning_mshta.yml (100%) rename detections/{endpoint => deprecated}/office_product_spawning_windows_script_host.yml (100%) rename detections/{endpoint => deprecated}/remote_system_discovery_with_net.yml (100%) rename detections/{endpoint => deprecated}/winword_spawning_cmd.yml (100%) rename detections/{endpoint => deprecated}/winword_spawning_powershell.yml (100%) rename detections/{endpoint => deprecated}/winword_spawning_windows_script_host.yml (100%) diff --git a/detections/endpoint/account_discovery_with_net_app.yml b/detections/deprecated/account_discovery_with_net_app.yml similarity index 100% rename from detections/endpoint/account_discovery_with_net_app.yml rename to detections/deprecated/account_discovery_with_net_app.yml diff --git a/detections/endpoint/attempted_credential_dump_from_registry_via_reg_exe.yml b/detections/deprecated/attempted_credential_dump_from_registry_via_reg_exe.yml similarity index 100% rename from detections/endpoint/attempted_credential_dump_from_registry_via_reg_exe.yml rename to detections/deprecated/attempted_credential_dump_from_registry_via_reg_exe.yml diff --git a/detections/endpoint/detect_critical_alerts_from_security_tools.yml b/detections/deprecated/detect_critical_alerts_from_security_tools.yml similarity index 100% rename from detections/endpoint/detect_critical_alerts_from_security_tools.yml rename to detections/deprecated/detect_critical_alerts_from_security_tools.yml diff --git a/detections/endpoint/domain_account_discovery_with_net_app.yml b/detections/deprecated/domain_account_discovery_with_net_app.yml similarity index 100% rename from detections/endpoint/domain_account_discovery_with_net_app.yml rename to detections/deprecated/domain_account_discovery_with_net_app.yml diff --git a/detections/endpoint/domain_group_discovery_with_net.yml b/detections/deprecated/domain_group_discovery_with_net.yml similarity index 100% rename from detections/endpoint/domain_group_discovery_with_net.yml rename to detections/deprecated/domain_group_discovery_with_net.yml diff --git a/detections/endpoint/excel_spawning_powershell.yml b/detections/deprecated/excel_spawning_powershell.yml similarity index 100% rename from detections/endpoint/excel_spawning_powershell.yml rename to detections/deprecated/excel_spawning_powershell.yml diff --git a/detections/endpoint/net_localgroup_discovery.yml b/detections/deprecated/net_localgroup_discovery.yml similarity index 100% rename from detections/endpoint/net_localgroup_discovery.yml rename to detections/deprecated/net_localgroup_discovery.yml diff --git a/detections/endpoint/office_application_spawn_regsvr32_process.yml b/detections/deprecated/office_application_spawn_regsvr32_process.yml similarity index 100% rename from detections/endpoint/office_application_spawn_regsvr32_process.yml rename to detections/deprecated/office_application_spawn_regsvr32_process.yml diff --git a/detections/endpoint/office_application_spawn_rundll32_process.yml b/detections/deprecated/office_application_spawn_rundll32_process.yml similarity index 100% rename from detections/endpoint/office_application_spawn_rundll32_process.yml rename to detections/deprecated/office_application_spawn_rundll32_process.yml diff --git a/detections/endpoint/office_product_spawn_cmd_process.yml b/detections/deprecated/office_product_spawn_cmd_process.yml similarity index 100% rename from detections/endpoint/office_product_spawn_cmd_process.yml rename to detections/deprecated/office_product_spawn_cmd_process.yml diff --git a/detections/endpoint/office_product_spawning_bitsadmin.yml b/detections/deprecated/office_product_spawning_bitsadmin.yml similarity index 100% rename from detections/endpoint/office_product_spawning_bitsadmin.yml rename to detections/deprecated/office_product_spawning_bitsadmin.yml diff --git a/detections/endpoint/office_product_spawning_certutil.yml b/detections/deprecated/office_product_spawning_certutil.yml similarity index 100% rename from detections/endpoint/office_product_spawning_certutil.yml rename to detections/deprecated/office_product_spawning_certutil.yml diff --git a/detections/endpoint/office_product_spawning_mshta.yml b/detections/deprecated/office_product_spawning_mshta.yml similarity index 100% rename from detections/endpoint/office_product_spawning_mshta.yml rename to detections/deprecated/office_product_spawning_mshta.yml diff --git a/detections/endpoint/office_product_spawning_windows_script_host.yml b/detections/deprecated/office_product_spawning_windows_script_host.yml similarity index 100% rename from detections/endpoint/office_product_spawning_windows_script_host.yml rename to detections/deprecated/office_product_spawning_windows_script_host.yml diff --git a/detections/endpoint/remote_system_discovery_with_net.yml b/detections/deprecated/remote_system_discovery_with_net.yml similarity index 100% rename from detections/endpoint/remote_system_discovery_with_net.yml rename to detections/deprecated/remote_system_discovery_with_net.yml diff --git a/detections/endpoint/winword_spawning_cmd.yml b/detections/deprecated/winword_spawning_cmd.yml similarity index 100% rename from detections/endpoint/winword_spawning_cmd.yml rename to detections/deprecated/winword_spawning_cmd.yml diff --git a/detections/endpoint/winword_spawning_powershell.yml b/detections/deprecated/winword_spawning_powershell.yml similarity index 100% rename from detections/endpoint/winword_spawning_powershell.yml rename to detections/deprecated/winword_spawning_powershell.yml diff --git a/detections/endpoint/winword_spawning_windows_script_host.yml b/detections/deprecated/winword_spawning_windows_script_host.yml similarity index 100% rename from detections/endpoint/winword_spawning_windows_script_host.yml rename to detections/deprecated/winword_spawning_windows_script_host.yml From 9fea5dc874673cabcee8fc433dd998d762e05d59 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Thu, 16 Jan 2025 23:04:11 +0100 Subject: [PATCH 10/37] rename some analytics --- ...uditd_private_keys_and_certificate_enumeration.yml} | 10 +++++----- ...yml => windows_change_default_file_association.yml} | 10 +++++----- ..._cmdline_tool_execution_from_non_shell_process.yml} | 10 +++++----- 3 files changed, 15 insertions(+), 15 deletions(-) rename detections/endpoint/{linux_auditd_find_private_keys.yml => linux_auditd_private_keys_and_certificate_enumeration.yml} (87%) rename detections/endpoint/{change_default_file_association.yml => windows_change_default_file_association.yml} (87%) rename detections/endpoint/{cmdline_tool_not_executed_in_cmd_shell.yml => windows_cmdline_tool_execution_from_non_shell_process.yml} (79%) diff --git a/detections/endpoint/linux_auditd_find_private_keys.yml b/detections/endpoint/linux_auditd_private_keys_and_certificate_enumeration.yml similarity index 87% rename from detections/endpoint/linux_auditd_find_private_keys.yml rename to detections/endpoint/linux_auditd_private_keys_and_certificate_enumeration.yml index 36f223e8d0..bbaed9e245 100644 --- a/detections/endpoint/linux_auditd_find_private_keys.yml +++ b/detections/endpoint/linux_auditd_private_keys_and_certificate_enumeration.yml @@ -1,14 +1,14 @@ -name: Linux Auditd Find Private Keys +name: Linux Auditd Private Keys and Certificate Enumeration id: 80bb9988-190b-4ee0-a3c3-509545a8f678 -version: 3 -date: '2024-09-30' +version: 4 +date: '2025-01-15' author: Teoderick Contreras, Splunk status: production -type: TTP +type: Anomaly description: The following analytic detects suspicious attempts to find private keys, which may indicate an attacker's effort to access sensitive cryptographic information. Private keys are crucial for securing encrypted communications and data, and unauthorized access to them can lead to severe security breaches, including data decryption and identity theft. By monitoring for unusual or unauthorized searches for private keys, this analytic helps identify potential threats to cryptographic security, enabling security teams to take swift action to protect the integrity and confidentiality of encrypted information. data_source: - Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | where (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%.pem%") OR LIKE (process_exec, "%.cer%") OR LIKE (process_exec, "%.crt%") OR LIKE (process_exec, "%.pgp%") OR LIKE (process_exec, "%.key%") OR LIKE (process_exec, "%.gpg%")OR LIKE (process_exec, "%.ppk%") OR LIKE (process_exec, "%.p12%")OR LIKE (process_exec, "%.pfx%")OR LIKE (process_exec, "%.p7b%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_find_private_keys_filter`' +search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | where (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%.pem%") OR LIKE (process_exec, "%.cer%") OR LIKE (process_exec, "%.crt%") OR LIKE (process_exec, "%.pgp%") OR LIKE (process_exec, "%.key%") OR LIKE (process_exec, "%.gpg%")OR LIKE (process_exec, "%.ppk%") OR LIKE (process_exec, "%.p12%") OR LIKE (process_exec, "%.pfx%")OR LIKE (process_exec, "%.p7b%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_private_keys_and_certificate_enumeration_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: diff --git a/detections/endpoint/change_default_file_association.yml b/detections/endpoint/windows_change_default_file_association.yml similarity index 87% rename from detections/endpoint/change_default_file_association.yml rename to detections/endpoint/windows_change_default_file_association.yml index 3335247e61..4203a9afeb 100644 --- a/detections/endpoint/change_default_file_association.yml +++ b/detections/endpoint/windows_change_default_file_association.yml @@ -1,15 +1,15 @@ -name: Change Default File Association +name: Windows Change Default File Association id: 462d17d8-1f71-11ec-ad07-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2025-01-15' author: Teoderick Contreras, Splunk status: production -type: TTP +type: Anomaly description: The following analytic detects suspicious registry modifications that change the default file association to execute a malicious payload. It leverages data from the Endpoint data model, specifically monitoring registry paths under "*\\shell\\open\\command\\*" and "*HKCR\\*". This activity is significant because altering default file associations can allow attackers to execute arbitrary scripts or payloads when a user opens a file, leading to potential code execution. If confirmed malicious, this technique can enable attackers to persist on the compromised host and execute further malicious commands, posing a severe threat to the environment. data_source: - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path ="*\\shell\\open\\command\\*" Registry.registry_path = "*HKCR\\*" by Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `change_default_file_association_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path="*\\shell\\open\\command\\*" Registry.registry_path="*HKCR\\*" by Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `windows_change_default_file_association_filter`' how_to_implement: To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. known_false_positives: unknown references: diff --git a/detections/endpoint/cmdline_tool_not_executed_in_cmd_shell.yml b/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml similarity index 79% rename from detections/endpoint/cmdline_tool_not_executed_in_cmd_shell.yml rename to detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml index a0855e0861..647d330d1f 100644 --- a/detections/endpoint/cmdline_tool_not_executed_in_cmd_shell.yml +++ b/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml @@ -10,7 +10,7 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = "ipconfig.exe" OR Processes.process_name = "systeminfo.exe" OR Processes.process_name = "net1.exe" OR Processes.process_name = "arp.exe" OR Processes.process_name = "nslookup.exe" OR Processes.process_name = "route.exe" OR Processes.process_name = "netstat.exe" OR Processes.process_name = "whoami.exe") AND NOT (Processes.parent_process_name = "cmd.exe" OR Processes.parent_process_name = "powershell.exe" OR Processes.parent_process_name = "powershell_ise.exe" OR Processes.parent_process_name="pwsh.exe" OR Processes.parent_process_name = "explorer.exe") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process_id Processes.process Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_cmdline_tool_execution_from_non_shell_process_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("ipconfig.exe", "systeminfo.exe", "net1.exe", "arp.exe", "nslookup.exe", "route.exe", "netstat.exe", "whoami.exe") AND NOT Processes.parent_process_name IN ("cmd.exe", "powershell.exe", "powershell_ise.exe", "pwsh.exe", "explorer.exe", "-", "unknown") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process_id Processes.process Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_cmdline_tool_execution_from_non_shell_process_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: A network operator or systems administrator may utilize an automated host discovery application that may generate false positives. Filter as needed. references: @@ -37,9 +37,9 @@ tags: - CISA AA23-347A - Gozi Malware asset_type: Endpoint - confidence: 80 - impact: 70 - message: A non-standard parent process $parent_process_name$ spawned child process $process_name$ to execute command-line tool on $dest$. + confidence: 40 + impact: 40 + message: $process_name$ was spawned from an uncommon parent process $parent_process_name$ on $dest$. mitre_attack_id: - T1059 - T1059.007 @@ -77,7 +77,7 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 56 + risk_score: 16 security_domain: endpoint tests: - name: True Positive Test From 4476cd6bfa5fad0283d3b69bed543fbcd034f6d6 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Fri, 17 Jan 2025 12:56:57 +0100 Subject: [PATCH 11/37] add rename to auditd analytics --- detections/endpoint/linux_auditd_base64_decode_files.yml | 6 +++--- detections/endpoint/linux_auditd_clipboard_data_copy.yml | 6 +++--- .../endpoint/linux_auditd_data_destruction_command.yml | 6 +++--- .../linux_auditd_data_transfer_size_limits_via_split.yml | 6 +++--- .../linux_auditd_database_file_and_directory_discovery.yml | 6 +++--- .../endpoint/linux_auditd_file_and_directory_discovery.yml | 6 +++--- ...inux_auditd_file_permissions_modification_via_chattr.yml | 6 +++--- ...linux_auditd_find_credentials_from_password_managers.yml | 6 +++--- .../linux_auditd_find_credentials_from_password_stores.yml | 6 +++--- detections/endpoint/linux_auditd_find_ssh_private_keys.yml | 6 +++--- .../endpoint/linux_auditd_hardware_addition_swapoff.yml | 6 +++--- .../linux_auditd_hidden_files_and_directories_creation.yml | 6 +++--- .../endpoint/linux_auditd_preload_hijack_library_calls.yml | 6 +++--- ...inux_auditd_private_keys_and_certificate_enumeration.yml | 2 +- .../endpoint/linux_auditd_setuid_using_setcap_utility.yml | 6 +++--- .../endpoint/linux_auditd_unload_module_via_modprobe.yml | 6 +++--- ...nux_auditd_virtual_disk_file_and_directory_discovery.yml | 6 +++--- 17 files changed, 49 insertions(+), 49 deletions(-) diff --git a/detections/endpoint/linux_auditd_base64_decode_files.yml b/detections/endpoint/linux_auditd_base64_decode_files.yml index 536a69b3b2..bdb33137ab 100644 --- a/detections/endpoint/linux_auditd_base64_decode_files.yml +++ b/detections/endpoint/linux_auditd_base64_decode_files.yml @@ -1,14 +1,14 @@ name: Linux Auditd Base64 Decode Files id: 5890ba10-4e48-4dc0-8a40-3e1ebe75e737 -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-15' author: Teoderick Contreras, Splunk status: production type: Anomaly description: The following analytic detects suspicious Base64 decode operations that may indicate malicious activity, such as data exfiltration or execution of encoded commands. Base64 is commonly used to encode data for safe transmission, but attackers may abuse it to conceal malicious payloads. This detection focuses on identifying unusual or unexpected Base64 decoding processes, particularly when associated with critical files or directories. By monitoring these activities, the analytic helps uncover potential threats, enabling security teams to respond promptly and mitigate risks associated with encoded malware or unauthorized data access. data_source: - Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | where LIKE(process_exec, "%base64%") AND (LIKE(process_exec, "%-d %") OR LIKE(process_exec, "% --d%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_base64_decode_files_filter`' +search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | rename comm as process_name | rename exe as process | where LIKE(process_exec, "%base64%") AND (LIKE(process_exec, "%-d %") OR LIKE(process_exec, "% --d%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_base64_decode_files_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: diff --git a/detections/endpoint/linux_auditd_clipboard_data_copy.yml b/detections/endpoint/linux_auditd_clipboard_data_copy.yml index eea26987d2..e844e3cc50 100644 --- a/detections/endpoint/linux_auditd_clipboard_data_copy.yml +++ b/detections/endpoint/linux_auditd_clipboard_data_copy.yml @@ -1,14 +1,14 @@ name: Linux Auditd Clipboard Data Copy id: 9ddfe470-c4d0-4e60-8668-7337bd699edd -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-16' author: Teoderick Contreras, Splunk status: production type: Anomaly description: The following analytic detects the use of the Linux 'xclip' command to copy data from the clipboard. It leverages Linux Auditd telemetry, focusing on process names and command-line arguments related to clipboard operations. This activity is significant because adversaries can exploit clipboard data to capture sensitive information such as passwords or IP addresses. If confirmed malicious, this technique could lead to unauthorized data exfiltration, compromising sensitive information and potentially aiding further attacks within the environment. data_source: - Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | where LIKE(process_exec, "%xclip%") AND (LIKE(process_exec, "%clipboard%") OR LIKE(process_exec, "%-o%") OR LIKE(process_exec, "%clip %") OR LIKE(process_exec, "%-selection %") OR LIKE(process_exec, "%sel %")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_clipboard_data_copy_filter`' +search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | rename comm as process_name | rename exe as process | where LIKE(process_exec, "%xclip%") AND (LIKE(process_exec, "%clipboard%") OR LIKE(process_exec, "%-o%") OR LIKE(process_exec, "%clip %") OR LIKE(process_exec, "%-selection %") OR LIKE(process_exec, "%sel %")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_clipboard_data_copy_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: False positives may be present on Linux desktop as it may commonly be used by administrators or end users. Filter as needed. references: diff --git a/detections/endpoint/linux_auditd_data_destruction_command.yml b/detections/endpoint/linux_auditd_data_destruction_command.yml index fb2cb5fa5a..3201e7e0e0 100644 --- a/detections/endpoint/linux_auditd_data_destruction_command.yml +++ b/detections/endpoint/linux_auditd_data_destruction_command.yml @@ -1,14 +1,14 @@ name: Linux Auditd Data Destruction Command id: 4da5ce1a-f71b-4e71-bb73-c0a3c73f3c3c -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-15' author: Teoderick Contreras, Splunk status: production type: TTP description: The following analytic detects the execution of a Unix shell command designed to wipe root directories on a Linux host. It leverages data from Linux Auditd, focusing on the 'rm' command with force recursive deletion and the '--no-preserve-root' option. This activity is significant as it indicates potential data destruction attempts, often associated with malware like Awfulshred. If confirmed malicious, this behavior could lead to severe data loss, system instability, and compromised integrity of the affected Linux host. Immediate investigation and response are crucial to mitigate potential damage. data_source: - Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | where LIKE (process_exec, "%rm %") AND LIKE (process_exec, "% -rf %") AND LIKE (process_exec, "%--no-preserve-root%") | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_data_destruction_command_filter`' +search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | rename comm as process_name | rename exe as process | where LIKE (process_exec, "%rm %") AND LIKE (process_exec, "% -rf %") AND LIKE (process_exec, "%--no-preserve-root%") | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_data_destruction_command_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: unknown references: diff --git a/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml index ee0c06ce7d..de934eb8a4 100644 --- a/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml +++ b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml @@ -1,14 +1,14 @@ name: Linux Auditd Data Transfer Size Limits Via Split id: 4669561d-3bbd-44e3-857c-0e3c6ef2120c -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-15' author: Teoderick Contreras, Splunk status: production type: Anomaly description: The following analytic detects suspicious data transfer activities that involve the use of the `split` syscall, potentially indicating an attempt to evade detection by breaking large files into smaller parts. Attackers may use this technique to bypass size-based security controls, facilitating the covert exfiltration of sensitive data. By monitoring for unusual or unauthorized use of the `split` syscall, this analytic helps identify potential data exfiltration attempts, allowing security teams to intervene and prevent the unauthorized transfer of critical information from the network. data_source: - Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | where LIKE(process_exec, "%split %") AND LIKE(process_exec, "% -b %") | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_data_transfer_size_limits_via_split_filter`' +search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | rename comm as process_name | rename exe as process | where LIKE(process_exec, "%split %") AND LIKE(process_exec, "% -b %") | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_data_transfer_size_limits_via_split_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: diff --git a/detections/endpoint/linux_auditd_database_file_and_directory_discovery.yml b/detections/endpoint/linux_auditd_database_file_and_directory_discovery.yml index bcf7f46933..60d8cb7835 100644 --- a/detections/endpoint/linux_auditd_database_file_and_directory_discovery.yml +++ b/detections/endpoint/linux_auditd_database_file_and_directory_discovery.yml @@ -1,14 +1,14 @@ name: Linux Auditd Database File And Directory Discovery id: f616c4f3-bde9-41cf-856c-019b65f668bb -version: 3 -date: '2024-09-30' +version: 4 +date: '2025-01-15' author: Teoderick Contreras, Splunk status: production type: Anomaly description: The following analytic detects suspicious database file and directory discovery activities, which may signal an attacker attempt to locate and assess critical database assets on a compromised system. This behavior is often a precursor to data theft, unauthorized access, or privilege escalation, as attackers seek to identify valuable information stored in databases. By monitoring for unusual or unauthorized attempts to locate database files and directories, this analytic aids in early detection of potential reconnaissance or data breach efforts, enabling security teams to respond swiftly and mitigate the risk of further compromise. data_source: - Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | where (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%.db%") OR LIKE (process_exec, "%.sql%") OR LIKE (process_exec, "%.sqlite%") OR LIKE (process_exec, "%.mdb%")OR LIKE (process_exec, "%.accdb%")OR LIKE (process_exec, "%.mdf%")OR LIKE (process_exec, "%.ndf%")OR LIKE (process_exec, "%.ldf%")OR LIKE (process_exec, "%.frm%")OR LIKE (process_exec, "%.idb%")OR LIKE (process_exec, "%.myd%")OR LIKE (process_exec, "%.myi%")OR LIKE (process_exec, "%.dbf%")OR LIKE (process_exec, "%.db2%")OR LIKE (process_exec, "%.dbc%")OR LIKE (process_exec, "%.fpt%")OR LIKE (process_exec, "%.ora%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_database_file_and_directory_discovery_filter`' +search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | rename comm as process_name | rename exe as process | where (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%.db%") OR LIKE (process_exec, "%.sql%") OR LIKE (process_exec, "%.sqlite%") OR LIKE (process_exec, "%.mdb%")OR LIKE (process_exec, "%.accdb%")OR LIKE (process_exec, "%.mdf%")OR LIKE (process_exec, "%.ndf%")OR LIKE (process_exec, "%.ldf%")OR LIKE (process_exec, "%.frm%")OR LIKE (process_exec, "%.idb%")OR LIKE (process_exec, "%.myd%")OR LIKE (process_exec, "%.myi%")OR LIKE (process_exec, "%.dbf%")OR LIKE (process_exec, "%.db2%")OR LIKE (process_exec, "%.dbc%")OR LIKE (process_exec, "%.fpt%")OR LIKE (process_exec, "%.ora%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_database_file_and_directory_discovery_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: diff --git a/detections/endpoint/linux_auditd_file_and_directory_discovery.yml b/detections/endpoint/linux_auditd_file_and_directory_discovery.yml index ec265f42cb..4aed31144d 100644 --- a/detections/endpoint/linux_auditd_file_and_directory_discovery.yml +++ b/detections/endpoint/linux_auditd_file_and_directory_discovery.yml @@ -1,14 +1,14 @@ name: Linux Auditd File And Directory Discovery id: 0bbfb79c-a755-49a5-a38a-1128d0a452f1 -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-15' author: Teoderick Contreras, Splunk status: production type: Anomaly description: The following analytic detects suspicious file and directory discovery activities, which may indicate an attacker's effort to locate sensitive documents and files on a compromised system. This behavior often precedes data exfiltration, as adversaries seek to identify valuable or confidential information for theft. By identifying unusual or unauthorized attempts to browse or enumerate files and directories, this analytic helps security teams detect potential reconnaissance or preparatory actions by an attacker, enabling timely intervention to prevent data breaches or unauthorized access. data_source: - Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | where (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%.tif%") OR LIKE (process_exec, "%.tiff%") OR LIKE (process_exec, "%.gif%") OR LIKE (process_exec, "%.jpeg%")OR LIKE (process_exec, "%.jpg%")OR LIKE (process_exec, "%.jif%")OR LIKE (process_exec, "%.jfif%")OR LIKE (process_exec, "%.jp2%")OR LIKE (process_exec, "%.jpx%")OR LIKE (process_exec, "%.j2k%")OR LIKE (process_exec, "%.j2c%")OR LIKE (process_exec, "%.fpx%")OR LIKE (process_exec, "%.pcd%")OR LIKE (process_exec, "%.png%")OR LIKE (process_exec, "%.flv%") OR LIKE (process_exec, "%.pdf%")OR LIKE (process_exec, "%.mp4%")OR LIKE (process_exec, "%.mp3%")OR LIKE (process_exec, "%.gifv%")OR LIKE (process_exec, "%.avi%")OR LIKE (process_exec, "%.mov%")OR LIKE (process_exec, "%.mpeg%")OR LIKE (process_exec, "%.wav%")OR LIKE (process_exec, "%.doc%")OR LIKE (process_exec, "%.docx%")OR LIKE (process_exec, "%.xls%")OR LIKE (process_exec, "%.xlsx%")OR LIKE (process_exec, "%.svg%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_file_and_directory_discovery_filter`' +search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | rename comm as process_name | rename exe as process | where (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%.tif%") OR LIKE (process_exec, "%.tiff%") OR LIKE (process_exec, "%.gif%") OR LIKE (process_exec, "%.jpeg%")OR LIKE (process_exec, "%.jpg%")OR LIKE (process_exec, "%.jif%")OR LIKE (process_exec, "%.jfif%")OR LIKE (process_exec, "%.jp2%")OR LIKE (process_exec, "%.jpx%")OR LIKE (process_exec, "%.j2k%")OR LIKE (process_exec, "%.j2c%")OR LIKE (process_exec, "%.fpx%")OR LIKE (process_exec, "%.pcd%")OR LIKE (process_exec, "%.png%")OR LIKE (process_exec, "%.flv%") OR LIKE (process_exec, "%.pdf%")OR LIKE (process_exec, "%.mp4%")OR LIKE (process_exec, "%.mp3%")OR LIKE (process_exec, "%.gifv%")OR LIKE (process_exec, "%.avi%")OR LIKE (process_exec, "%.mov%")OR LIKE (process_exec, "%.mpeg%")OR LIKE (process_exec, "%.wav%")OR LIKE (process_exec, "%.doc%")OR LIKE (process_exec, "%.docx%")OR LIKE (process_exec, "%.xls%")OR LIKE (process_exec, "%.xlsx%")OR LIKE (process_exec, "%.svg%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_file_and_directory_discovery_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: diff --git a/detections/endpoint/linux_auditd_file_permissions_modification_via_chattr.yml b/detections/endpoint/linux_auditd_file_permissions_modification_via_chattr.yml index 4c46e7a037..a9bc8b21af 100644 --- a/detections/endpoint/linux_auditd_file_permissions_modification_via_chattr.yml +++ b/detections/endpoint/linux_auditd_file_permissions_modification_via_chattr.yml @@ -1,14 +1,14 @@ name: Linux Auditd File Permissions Modification Via Chattr id: f2d1110d-b01c-4a58-9975-90a9edeb083a -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-16' author: Teoderick Contreras, Splunk status: production type: TTP description: The following analytic detects suspicious file permissions modifications using the chattr command, which may indicate an attacker attempting to manipulate file attributes to evade detection or prevent alteration. The chattr command can be used to make files immutable or restrict deletion, which can be leveraged to protect malicious files or disrupt system operations. By monitoring for unusual or unauthorized chattr usage, this analytic helps identify potential tampering with critical files, enabling security teams to quickly respond to and mitigate threats associated with unauthorized file attribute changes. data_source: - Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host as dest | where LIKE(process_exec, "%chattr %") AND LIKE(process_exec, "% -i%") | stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_file_permissions_modification_via_chattr_filter`' +search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host as dest | rename comm as process_name | rename exe as process | where LIKE(process_exec, "%chattr %") AND LIKE(process_exec, "% -i%") | stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_file_permissions_modification_via_chattr_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: diff --git a/detections/endpoint/linux_auditd_find_credentials_from_password_managers.yml b/detections/endpoint/linux_auditd_find_credentials_from_password_managers.yml index edf1c9f44e..81daf23272 100644 --- a/detections/endpoint/linux_auditd_find_credentials_from_password_managers.yml +++ b/detections/endpoint/linux_auditd_find_credentials_from_password_managers.yml @@ -1,14 +1,14 @@ name: Linux Auditd Find Credentials From Password Managers id: 784241aa-85a5-4782-a503-d071bd3446f9 -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-16' author: Teoderick Contreras, Splunk status: production type: TTP description: The following analytic detects suspicious attempts to find credentials stored in password managers, which may indicate an attacker's effort to retrieve sensitive login information. Password managers are often targeted by adversaries seeking to access stored passwords for further compromise or lateral movement within a network. By monitoring for unusual or unauthorized access to password manager files or processes, this analytic helps identify potential credential theft attempts, enabling security teams to respond quickly to protect critical accounts and prevent further unauthorized access. data_source: - Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | where (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%.kdbx%") OR LIKE (process_exec, "%KeePass%") OR LIKE (process_exec, "%KeePass\.enforced%") OR LIKE (process_exec, "%.lpdb%")OR LIKE (process_exec, "%.opvault%")OR LIKE (process_exec, "%.agilekeychain%")OR LIKE (process_exec, "%.dashlane%")OR LIKE (process_exec, "%.rfx%")OR LIKE (process_exec, "%passbolt%")OR LIKE (process_exec, "%.spdb%")OR LIKE (process_exec, "%StickyPassword%")OR LIKE (process_exec, "%.walletx%")OR LIKE (process_exec, "%enpass%")OR LIKE (process_exec, "%vault%")OR LIKE (process_exec, "%.kdb%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_find_credentials_from_password_managers_filter`' +search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | rename comm as process_name | rename exe as process | where (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%.kdbx%") OR LIKE (process_exec, "%KeePass%") OR LIKE (process_exec, "%KeePass\.enforced%") OR LIKE (process_exec, "%.lpdb%")OR LIKE (process_exec, "%.opvault%")OR LIKE (process_exec, "%.agilekeychain%")OR LIKE (process_exec, "%.dashlane%")OR LIKE (process_exec, "%.rfx%")OR LIKE (process_exec, "%passbolt%")OR LIKE (process_exec, "%.spdb%")OR LIKE (process_exec, "%StickyPassword%")OR LIKE (process_exec, "%.walletx%")OR LIKE (process_exec, "%enpass%")OR LIKE (process_exec, "%vault%")OR LIKE (process_exec, "%.kdb%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_find_credentials_from_password_managers_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: diff --git a/detections/endpoint/linux_auditd_find_credentials_from_password_stores.yml b/detections/endpoint/linux_auditd_find_credentials_from_password_stores.yml index 602f0ad3b5..6dfab9fc46 100644 --- a/detections/endpoint/linux_auditd_find_credentials_from_password_stores.yml +++ b/detections/endpoint/linux_auditd_find_credentials_from_password_stores.yml @@ -1,14 +1,14 @@ name: Linux Auditd Find Credentials From Password Stores id: 4de73044-9a1d-4a51-a1c2-85267d8dcab3 -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-16' author: Teoderick Contreras, Splunk status: production type: TTP description: The following analytic detects suspicious attempts to find credentials stored in password stores, indicating a potential attacker's effort to access sensitive login information. Password stores are critical repositories that contain valuable credentials, and unauthorized access to them can lead to significant security breaches. By monitoring for unusual or unauthorized activities related to password store access, this analytic helps identify potential credential theft attempts, allowing security teams to respond promptly and prevent unauthorized access to critical systems and data. data_source: - Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | where (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%password%") OR LIKE (process_exec, "%pass %") OR LIKE (process_exec, "%credential%")OR LIKE (process_exec, "%creds%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_find_credentials_from_password_stores_filter`' +search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | rename comm as process_name | rename exe as process | where (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%password%") OR LIKE (process_exec, "%pass %") OR LIKE (process_exec, "%credential%")OR LIKE (process_exec, "%creds%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_find_credentials_from_password_stores_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: diff --git a/detections/endpoint/linux_auditd_find_ssh_private_keys.yml b/detections/endpoint/linux_auditd_find_ssh_private_keys.yml index 9435ba0ee7..23f64f41be 100644 --- a/detections/endpoint/linux_auditd_find_ssh_private_keys.yml +++ b/detections/endpoint/linux_auditd_find_ssh_private_keys.yml @@ -1,14 +1,14 @@ name: Linux Auditd Find Ssh Private Keys id: e2d2bd10-dcd1-4b2f-8a76-0198eab32ba5 -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-16' author: Teoderick Contreras, Splunk status: production type: Anomaly description: The following analytic detects suspicious attempts to find SSH private keys, which may indicate an attacker's effort to compromise secure access to systems. SSH private keys are essential for secure authentication, and unauthorized access to these keys can enable attackers to gain unauthorized access to servers and other critical infrastructure. By monitoring for unusual or unauthorized searches for SSH private keys, this analytic helps identify potential threats to network security, allowing security teams to quickly respond and safeguard against unauthorized access and potential breaches. data_source: - Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | where (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%id_rsa%") OR LIKE (process_exec, "%id_dsa%")OR LIKE (process_exec, "%.key%") OR LIKE (process_exec, "%ssh_key%")OR LIKE (process_exec, "%authorized_keys%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_find_ssh_private_keys_filter`' +search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | rename comm as process_name | rename exe as process | where (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%id_rsa%") OR LIKE (process_exec, "%id_dsa%")OR LIKE (process_exec, "%.key%") OR LIKE (process_exec, "%ssh_key%")OR LIKE (process_exec, "%authorized_keys%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_find_ssh_private_keys_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: diff --git a/detections/endpoint/linux_auditd_hardware_addition_swapoff.yml b/detections/endpoint/linux_auditd_hardware_addition_swapoff.yml index d44992d250..3c8f5b1bba 100644 --- a/detections/endpoint/linux_auditd_hardware_addition_swapoff.yml +++ b/detections/endpoint/linux_auditd_hardware_addition_swapoff.yml @@ -1,14 +1,14 @@ name: Linux Auditd Hardware Addition Swapoff id: 5728bb16-1a0b-4b66-bce2-0074ac839770 -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-16' author: Teoderick Contreras, Splunk status: production type: Anomaly description: The following analytic detects the execution of the "swapoff" command, which disables the swapping of paging devices on a Linux system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant because disabling swap can be a tactic used by malware, such as Awfulshred, to evade detection and hinder forensic analysis. If confirmed malicious, this action could allow an attacker to manipulate system memory management, potentially leading to data corruption, system instability, or evasion of memory-based detection mechanisms. data_source: - Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host as dest | where LIKE(process_exec, "%swapoff %") AND LIKE(process_exec, "% -a%") | stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_hardware_addition_swapoff_filter`' +search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host as dest | rename comm as process_name | rename exe as process | where LIKE(process_exec, "%swapoff %") AND LIKE(process_exec, "% -a%") | stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_hardware_addition_swapoff_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: administrator may disable swapping of devices in a linux host. Filter is needed. references: diff --git a/detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml b/detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml index 1b748cba78..4a11ae5b48 100644 --- a/detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml +++ b/detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml @@ -1,14 +1,14 @@ name: Linux Auditd Hidden Files And Directories Creation id: 555cc358-bf16-4e05-9b3a-0f89c73b7261 -version: 3 -date: '2024-09-30' +version: 4 +date: '2025-01-16' author: Teoderick Contreras, Splunk status: production type: TTP description: The following analytic detects suspicious creation of hidden files and directories, which may indicate an attacker's attempt to conceal malicious activities or unauthorized data. Hidden files and directories are often used to evade detection by security tools and administrators, providing a stealthy means for storing malware, logs, or sensitive information. By monitoring for unusual or unauthorized creation of hidden files and directories, this analytic helps identify potential attempts to hide or unauthorized creation of hidden files and directories, this analytic helps identify potential attempts to hide malicious operations, enabling security teams to uncover and address hidden threats effectively. data_source: - Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | where (LIKE (process_exec,"%touch %") OR LIKE (process_exec,"%mkdir %")OR LIKE (process_exec,"%vim %") OR LIKE (process_exec,"%vi %") OR LIKE (process_exec,"%nano %")) AND (LIKE (process_exec,"% ./.%") OR LIKE (process_exec," .%")OR LIKE (process_exec," /.%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_hidden_files_and_directories_creation_filter`' +search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | rename comm as process_name | rename exe as process | where (LIKE (process_exec,"%touch %") OR LIKE (process_exec,"%mkdir %")OR LIKE (process_exec,"%vim %") OR LIKE (process_exec,"%vi %") OR LIKE (process_exec,"%nano %")) AND (LIKE (process_exec,"% ./.%") OR LIKE (process_exec," .%")OR LIKE (process_exec," /.%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_hidden_files_and_directories_creation_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: diff --git a/detections/endpoint/linux_auditd_preload_hijack_library_calls.yml b/detections/endpoint/linux_auditd_preload_hijack_library_calls.yml index 9f9601d818..f537d137dd 100644 --- a/detections/endpoint/linux_auditd_preload_hijack_library_calls.yml +++ b/detections/endpoint/linux_auditd_preload_hijack_library_calls.yml @@ -1,14 +1,14 @@ name: Linux Auditd Preload Hijack Library Calls id: 35c50572-a70b-452f-afa9-bebdf3c3ce36 -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-16' author: Teoderick Contreras, Splunk status: production type: TTP description: The following analytic detects the use of the LD_PRELOAD environment variable to hijack or hook library functions on a Linux platform. It leverages data from Linux Auditd, focusing on process execution logs that include command-line details. This activity is significant because adversaries, malware authors, and red teamers commonly use this technique to gain elevated privileges and establish persistence on a compromised machine. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, and maintain long-term access to the system. data_source: - Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | where LIKE (process_exec, "%LD_PRELOAD%")| stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_preload_hijack_library_calls_filter`' +search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | rename comm as process_name | rename exe as process | where LIKE (process_exec, "%LD_PRELOAD%")| stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_preload_hijack_library_calls_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. references: diff --git a/detections/endpoint/linux_auditd_private_keys_and_certificate_enumeration.yml b/detections/endpoint/linux_auditd_private_keys_and_certificate_enumeration.yml index bbaed9e245..b30b4049b2 100644 --- a/detections/endpoint/linux_auditd_private_keys_and_certificate_enumeration.yml +++ b/detections/endpoint/linux_auditd_private_keys_and_certificate_enumeration.yml @@ -8,7 +8,7 @@ type: Anomaly description: The following analytic detects suspicious attempts to find private keys, which may indicate an attacker's effort to access sensitive cryptographic information. Private keys are crucial for securing encrypted communications and data, and unauthorized access to them can lead to severe security breaches, including data decryption and identity theft. By monitoring for unusual or unauthorized searches for private keys, this analytic helps identify potential threats to cryptographic security, enabling security teams to take swift action to protect the integrity and confidentiality of encrypted information. data_source: - Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | where (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%.pem%") OR LIKE (process_exec, "%.cer%") OR LIKE (process_exec, "%.crt%") OR LIKE (process_exec, "%.pgp%") OR LIKE (process_exec, "%.key%") OR LIKE (process_exec, "%.gpg%")OR LIKE (process_exec, "%.ppk%") OR LIKE (process_exec, "%.p12%") OR LIKE (process_exec, "%.pfx%")OR LIKE (process_exec, "%.p7b%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_private_keys_and_certificate_enumeration_filter`' +search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | rename comm as process_name | rename exe as process | where (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%.pem%") OR LIKE (process_exec, "%.cer%") OR LIKE (process_exec, "%.crt%") OR LIKE (process_exec, "%.pgp%") OR LIKE (process_exec, "%.key%") OR LIKE (process_exec, "%.gpg%")OR LIKE (process_exec, "%.ppk%") OR LIKE (process_exec, "%.p12%") OR LIKE (process_exec, "%.pfx%")OR LIKE (process_exec, "%.p7b%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_private_keys_and_certificate_enumeration_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: diff --git a/detections/endpoint/linux_auditd_setuid_using_setcap_utility.yml b/detections/endpoint/linux_auditd_setuid_using_setcap_utility.yml index 7eba7152fe..0f231adcdb 100644 --- a/detections/endpoint/linux_auditd_setuid_using_setcap_utility.yml +++ b/detections/endpoint/linux_auditd_setuid_using_setcap_utility.yml @@ -1,14 +1,14 @@ name: Linux Auditd Setuid Using Setcap Utility id: 1474459a-302b-4255-8add-d82f96d14cd9 -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-16' author: Teoderick Contreras, Splunk status: production type: TTP description: The following analytic detects the execution of the 'setcap' utility to enable the SUID bit on Linux systems. It leverages Linux Auditd data, focusing on process names and command-line arguments that indicate the use of 'setcap' with specific capabilities. This activity is significant because setting the SUID bit allows a user to temporarily gain root access, posing a substantial security risk. If confirmed malicious, an attacker could escalate privileges, execute arbitrary commands with elevated permissions, and potentially compromise the entire system. data_source: - Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | where LIKE (process_exec, "%setcap %") AND (LIKE (process_exec, "% cap_setuid+ep %") OR LIKE (process_exec, "% cap_setuid=ep %") OR LIKE (process_exec, "% cap_net_bind_service+p %") OR LIKE (process_exec, "% cap_net_raw+ep %") OR LIKE (process_exec, "% cap_dac_read_search+ep %")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_setuid_using_setcap_utility_filter`' +search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | rename comm as process_name | rename exe as process | where LIKE (process_exec, "%setcap %") AND (LIKE (process_exec, "% cap_setuid+ep %") OR LIKE (process_exec, "% cap_setuid=ep %") OR LIKE (process_exec, "% cap_net_bind_service+p %") OR LIKE (process_exec, "% cap_net_raw+ep %") OR LIKE (process_exec, "% cap_dac_read_search+ep %")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_setuid_using_setcap_utility_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. references: diff --git a/detections/endpoint/linux_auditd_unload_module_via_modprobe.yml b/detections/endpoint/linux_auditd_unload_module_via_modprobe.yml index 004c43ae77..352bdc7cf4 100644 --- a/detections/endpoint/linux_auditd_unload_module_via_modprobe.yml +++ b/detections/endpoint/linux_auditd_unload_module_via_modprobe.yml @@ -1,14 +1,14 @@ name: Linux Auditd Unload Module Via Modprobe id: 90964d6a-4b5f-409a-85bd-95e261e03fe9 -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-16' author: Teoderick Contreras, Splunk status: production type: TTP description: The following analytic detects suspicious use of the `modprobe` command to unload kernel modules, which may indicate an attempt to disable critical system components or evade detection. The `modprobe` utility manages kernel modules, and unauthorized unloading of modules can disrupt system security features, remove logging capabilities, or conceal malicious activities. By monitoring for unusual or unauthorized `modprobe` operations involving module unloading, this analytic helps identify potential tampering with kernel functionality, enabling security teams to investigate and address possible threats to system integrity. data_source: - Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | where LIKE (process_exec, "%modprobe%") AND LIKE (process_exec, "%-r %") | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_unload_module_via_modprobe_filter`' +search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | rename comm as process_name | rename exe as process | where LIKE (process_exec, "%modprobe%") AND LIKE (process_exec, "%-r %") | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_unload_module_via_modprobe_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: diff --git a/detections/endpoint/linux_auditd_virtual_disk_file_and_directory_discovery.yml b/detections/endpoint/linux_auditd_virtual_disk_file_and_directory_discovery.yml index e5af078c4f..282728f5e7 100644 --- a/detections/endpoint/linux_auditd_virtual_disk_file_and_directory_discovery.yml +++ b/detections/endpoint/linux_auditd_virtual_disk_file_and_directory_discovery.yml @@ -1,14 +1,14 @@ name: Linux Auditd Virtual Disk File And Directory Discovery id: eec78cef-d4c8-4b35-8f5b-6922102a4a41 -version: 3 -date: '2024-09-30' +version: 4 +date: '2025-01-16' author: Teoderick Contreras, Splunk status: production type: Anomaly description: The following analytic detects suspicious discovery of virtual disk files and directories, which may indicate an attacker's attempt to locate and access virtualized storage environments. Virtual disks can contain sensitive data or critical system configurations, and unauthorized discovery attempts could signify preparatory actions for data exfiltration or further compromise. By monitoring for unusual or unauthorized searches for virtual disk files and directories, this analytic helps identify potential reconnaissance activities, enabling security teams to respond promptly and safeguard against unauthorized access and data breaches. data_source: - Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | where (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%.vhd%") OR LIKE (process_exec, "%.vhdx%") OR LIKE (process_exec, "%.vmdk%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_virtual_disk_file_and_directory_discovery_filter`' +search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | rename comm as process_name | rename exe as process | where (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%.vhd%") OR LIKE (process_exec, "%.vhdx%") OR LIKE (process_exec, "%.vmdk%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_virtual_disk_file_and_directory_discovery_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: From c1bee7dc5864e2e0a3ea01aa4acd6782cbb41dae Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Fri, 17 Jan 2025 12:57:09 +0100 Subject: [PATCH 12/37] update additional analytics --- ...ding_dotnet_into_memory_via_reflection.yml | 14 +++++++------- ...ew_default_file_association_value_set.yml} | 19 +++++++++---------- 2 files changed, 16 insertions(+), 17 deletions(-) rename detections/endpoint/{windows_change_default_file_association.yml => windows_new_default_file_association_value_set.yml} (65%) diff --git a/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml b/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml index 35211ae96d..44681b760d 100644 --- a/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml +++ b/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml @@ -1,14 +1,14 @@ -name: PowerShell Loading DotNET into Memory via Reflection +name: PowerShell Loading DotNET Into Memory via Reflection id: 85bc3f30-ca28-11eb-bd21-acde48001122 -version: 5 -date: '2024-09-30' +version: 6 +date: '2025-01-16' author: Michael Haag, Splunk status: production -type: TTP +type: Anomaly data_source: - Powershell Script Block Logging 4104 -description: The following analytic detects the use of PowerShell to load .NET assemblies into memory via reflection, a technique often used in malicious activities such as those by Empire and Cobalt Strike. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze the full command executed. This behavior is significant as it can indicate advanced attack techniques aiming to execute code in memory, bypassing traditional defenses. If confirmed malicious, this activity could lead to unauthorized code execution, privilege escalation, and persistent access within the environment. -search: '`powershell` EventCode=4104 ScriptBlockText IN ("*[system.reflection.assembly]::load(*","*[reflection.assembly]*", "*reflection.assembly*") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_loading_dotnet_into_memory_via_reflection_filter`' +description: The following analytic detects the use of PowerShell scripts to load .NET assemblies into memory via reflection, a technique often used in malicious activities such as those by Empire and Cobalt Strike. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze the full command executed. This behavior is significant as it can indicate advanced attack techniques aiming to execute code in memory, bypassing traditional defenses. If confirmed malicious, this activity could lead to unauthorized code execution, privilege escalation, and persistent access within the environment. +search: '`powershell` EventCode=4104 ScriptBlockText IN ("*Reflection.Assembly]::Load*", "*Reflection.Assembly.Load*", "*UnsafeLoadFrom*", "*.LoadFrom(*", "*.LoadModule(*", "*.LoadWithPartialName*", "*ReflectionOnlyLoad*") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_loading_dotnet_into_memory_via_reflection_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. known_false_positives: False positives should be limited as day to day scripts do not use this method. references: @@ -37,7 +37,7 @@ tags: asset_type: Endpoint confidence: 80 impact: 70 - message: A suspicious powershell script contains reflective class assembly command in $ScriptBlockText$ to load .net code in memory with EventCode $EventCode$ in host $Computer$ + message: A suspicious powershell script that contains calls to reflective class assembly command in $ScriptBlockText$ is potentially trying to load malicious .NET code in memory in host $Computer$ mitre_attack_id: - T1059 - T1059.001 diff --git a/detections/endpoint/windows_change_default_file_association.yml b/detections/endpoint/windows_new_default_file_association_value_set.yml similarity index 65% rename from detections/endpoint/windows_change_default_file_association.yml rename to detections/endpoint/windows_new_default_file_association_value_set.yml index 4203a9afeb..d6f71a881f 100644 --- a/detections/endpoint/windows_change_default_file_association.yml +++ b/detections/endpoint/windows_new_default_file_association_value_set.yml @@ -1,17 +1,16 @@ -name: Windows Change Default File Association +name: Windows New Default File Association Value Set id: 462d17d8-1f71-11ec-ad07-acde48001122 version: 4 date: '2025-01-15' author: Teoderick Contreras, Splunk status: production -type: Anomaly -description: The following analytic detects suspicious registry modifications that change the default file association to execute a malicious payload. It leverages data from the Endpoint data model, specifically monitoring registry paths under "*\\shell\\open\\command\\*" and "*HKCR\\*". This activity is significant because altering default file associations can allow attackers to execute arbitrary scripts or payloads when a user opens a file, leading to potential code execution. If confirmed malicious, this technique can enable attackers to persist on the compromised host and execute further malicious commands, posing a severe threat to the environment. +type: Hunting +description: The following analytic detects registry changes to the default file association value. It leverages data from the Endpoint data model, specifically monitoring registry paths under "HKCR\\*\\shell\\open\\command\\*". This activity can be significant because, attackers might alter the default file associations in order to execute arbitrary scripts or payloads when a user opens a file, leading to potential code execution. If confirmed malicious, this technique can enable attackers to persist on the compromised host and execute further malicious commands, posing a severe threat to the environment. data_source: -- Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path="*\\shell\\open\\command\\*" Registry.registry_path="*HKCR\\*" by Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `windows_change_default_file_association_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path="*\\shell\\open\\command\\*" Registry.registry_path IN ("*HKCR\\*", "*HKEY_CLASSES_ROOT\\*") by Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `windows_new_default_file_association_value_set_filter`' how_to_implement: To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. -known_false_positives: unknown +known_false_positives: Windows and third party software will create and modify these file associations during installation or upgrades. Additional filters needs to be applied to tune environment specific false positives. references: - https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/privilege-escalation/untitled-3/accessibility-features drilldown_searches: @@ -32,9 +31,9 @@ tags: - Windows Persistence Techniques - Data Destruction asset_type: Endpoint - confidence: 100 - impact: 80 - message: Registry path $registry_path$ was modified, added, or deleted in $dest$. + confidence: 50 + impact: 50 + message: Default file association for $registry_path$ was modified to $registry_value_data$ in $dest$. mitre_attack_id: - T1546.001 - T1546 @@ -58,7 +57,7 @@ tags: - Registry.registry_path - Registry.registry_key_name - Registry.registry_value_name - risk_score: 80 + risk_score: 25 security_domain: endpoint tests: - name: True Positive Test From be154a1bdc5439d2184fae0779593aa24ab3a914 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Fri, 17 Jan 2025 15:45:43 +0100 Subject: [PATCH 13/37] update 827409a1-5393-4d8d-8da4-bbb297c262a7 --- ..._http_network_communication_from_msiexec.yml} | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) rename detections/endpoint/{windows_msiexec_with_network_connections.yml => windows_http_network_communication_from_msiexec.yml} (94%) diff --git a/detections/endpoint/windows_msiexec_with_network_connections.yml b/detections/endpoint/windows_http_network_communication_from_msiexec.yml similarity index 94% rename from detections/endpoint/windows_msiexec_with_network_connections.yml rename to detections/endpoint/windows_http_network_communication_from_msiexec.yml index d905f866d0..90fead6067 100644 --- a/detections/endpoint/windows_msiexec_with_network_connections.yml +++ b/detections/endpoint/windows_http_network_communication_from_msiexec.yml @@ -1,14 +1,14 @@ -name: Windows MSIExec With Network Connections +name: Windows HTTP Network Communication From MSIExec id: 827409a1-5393-4d8d-8da4-bbb297c262a7 -version: 4 -date: '2024-09-30' +version: 5 +date: '2025-01-17' author: Michael Haag, Splunk status: production -type: TTP +type: Anomaly description: The following analytic detects MSIExec making network connections over ports 443 or 80. This behavior is identified by correlating process creation events from Endpoint Detection and Response (EDR) agents with network traffic logs. Typically, MSIExec does not perform network communication to the internet, making this activity unusual and potentially indicative of malicious behavior. If confirmed malicious, an attacker could be using MSIExec to download or communicate with external servers, potentially leading to data exfiltration, command and control (C2) communication, or further malware deployment. data_source: - Sysmon EventID 1 AND Sysmon EventID 3 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_msiexec` by _time Processes.user Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port IN ("80","443") by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port All_Traffic.dest_ip | `drop_dm_object_name(All_Traffic)` ] | table _time user dest parent_process_name process_name process_path process process_id dest_port dest_ip | `windows_msiexec_with_network_connections_filter`' +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_msiexec` by _time Processes.user Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port IN ("80","443") by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port All_Traffic.dest_ip | `drop_dm_object_name(All_Traffic)` ] | table _time user dest parent_process_name process_name process_path process process_id dest_port dest_ip | `windows_http_network_communication_from_msiexec_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: False positives will be present and filtering is required. references: @@ -28,8 +28,8 @@ tags: - Windows System Binary Proxy Execution MSIExec asset_type: Endpoint confidence: 50 - impact: 70 - message: An instance of $process_name$ was identified on endpoint $dest$ contacting a remote destination $dest_ip$ + impact: 50 + message: An instance of $process_name$ was identified on endpoint $dest$ contacting a remote destination $dest_ip$ on port $dest_port$ mitre_attack_id: - T1218.007 observable: @@ -65,7 +65,7 @@ tags: - All_Traffic.dest - All_Traffic.dest_port - All_Traffic.dest_ip - risk_score: 35 + risk_score: 25 security_domain: endpoint tests: - name: True Positive Test From 0d36a4ed1a08cdc992c6b9797550180039ec95a4 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Fri, 17 Jan 2025 18:45:32 +0100 Subject: [PATCH 14/37] update 048839e4-1eaa-43ff-8a22-86d17f6fcc13 --- ..._via_set_command_from_uncommon_parent.yml} | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) rename detections/endpoint/{windows_command_shell_fetch_env_variables.yml => windows_list_env_variables_via_set_command_from_uncommon_parent.yml} (67%) diff --git a/detections/endpoint/windows_command_shell_fetch_env_variables.yml b/detections/endpoint/windows_list_env_variables_via_set_command_from_uncommon_parent.yml similarity index 67% rename from detections/endpoint/windows_command_shell_fetch_env_variables.yml rename to detections/endpoint/windows_list_env_variables_via_set_command_from_uncommon_parent.yml index 156004d4aa..c2ca59a1d5 100644 --- a/detections/endpoint/windows_command_shell_fetch_env_variables.yml +++ b/detections/endpoint/windows_list_env_variables_via_set_command_from_uncommon_parent.yml @@ -1,18 +1,18 @@ -name: Windows Command Shell Fetch Env Variables +name: Windows List ENV Variables Via SET Command From Uncommon Parent id: 048839e4-1eaa-43ff-8a22-86d17f6fcc13 -version: 3 -date: '2024-09-30' +version: 4 +date: '2025-01-17' author: Teoderick Contreras, Splunk status: production -type: TTP -description: The following analytic identifies a suspicious process command line fetching environment variables with a non-shell parent process. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and parent process names. This activity is significant as it is commonly associated with malware like Qakbot, which uses this technique to gather system information. If confirmed malicious, this behavior could indicate that the parent process has been compromised, potentially allowing attackers to execute arbitrary commands, escalate privileges, or persist within the environment. +type: Anomaly +description: The following analytic identifies a suspicious process command line fetching environment variables using the cmd.exe "set" command, with a non-shell parent process. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and parent process names. This activity could be significant as it is commonly associated with malware like Qakbot, which uses this technique to gather system information. If confirmed malicious, this behavior could indicate that the parent process has been compromised, potentially allowing attackers to execute arbitrary commands, escalate privileges, or persist within the environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "*cmd /c set" OR Processes.process = "*cmd.exe /c set" AND NOT (Processes.parent_process_name = "cmd.exe" OR Processes.parent_process_name = "powershell*" OR Processes.parent_process_name="pwsh.exe" OR Processes.parent_process_name = "explorer.exe") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_command_shell_fetch_env_variables_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="cmd.exe" Processes.process IN ("*/c set", "*/c \"set") AND NOT Processes.parent_process_name IN ("cmd.exe", "explorer.exe", "powershell*" "pwsh.exe") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_list_env_variables_via_set_command_from_uncommon_parent_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: shell process that are not included in this search may cause False positive. Filter is needed. +known_false_positives: shell process that are not included in this search may cause False positive. Filter as needed. references: - https://twitter.com/pr0xylife/status/1585612370441031680?s=46&t=Dc3CJi4AnM-8rNoacLbScg drilldown_searches: @@ -28,9 +28,9 @@ tags: analytic_story: - Qakbot asset_type: Endpoint - confidence: 70 - impact: 80 - message: non-shell parent process has a child process $process_name$ with a commandline $process$ to fetch env variables in $dest$ + confidence: 50 + impact: 50 + message: $parent_process_name$ Spawned $process_name$ with a commandline $process$ in $dest$ mitre_attack_id: - T1055 observable: @@ -55,7 +55,7 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 56 + risk_score: 25 security_domain: endpoint tests: - name: True Positive Test From 1e430e5cf4e388766736a1438715811dbbb9c82d Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Mon, 20 Jan 2025 10:45:36 +0100 Subject: [PATCH 15/37] fix error with filter macros --- ..._and_sc_application.yml => windows_service_stop_attempt.yml} | 2 +- .../windows_suspicious_child_process_spawned_from_webserver.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) rename detections/endpoint/{windows_service_stop_via_net__and_sc_application.yml => windows_service_stop_attempt.yml} (98%) diff --git a/detections/endpoint/windows_service_stop_via_net__and_sc_application.yml b/detections/endpoint/windows_service_stop_attempt.yml similarity index 98% rename from detections/endpoint/windows_service_stop_via_net__and_sc_application.yml rename to detections/endpoint/windows_service_stop_attempt.yml index 093c38aa47..59c2e1cf7f 100644 --- a/detections/endpoint/windows_service_stop_via_net__and_sc_application.yml +++ b/detections/endpoint/windows_service_stop_attempt.yml @@ -10,7 +10,7 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where ((`process_net` OR `process_sc`) Processes.process="* stop *") OR Processes.process="*Stop-Service *" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_stop_via_net__and_sc_application_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where ((`process_net` OR `process_sc`) Processes.process="* stop *") OR Processes.process="*Stop-Service *" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_stop_attempt_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: Windows OS or software may stop and restart services due to some critical update. references: diff --git a/detections/endpoint/windows_suspicious_child_process_spawned_from_webserver.yml b/detections/endpoint/windows_suspicious_child_process_spawned_from_webserver.yml index eb4ad12a70..8f5d664169 100644 --- a/detections/endpoint/windows_suspicious_child_process_spawned_from_webserver.yml +++ b/detections/endpoint/windows_suspicious_child_process_spawned_from_webserver.yml @@ -1,4 +1,4 @@ -name: Windows Suspicious Child Process Spawned From Web Server +name: Windows Suspicious Child Process Spawned From WebServer id: 22597426-6dbd-49bd-bcdc-4ec19857192f version: '6' date: '2025-01-13' From 51106278d0ca4b027940c875c70f8065aa8a0d60 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Mon, 20 Jan 2025 10:51:42 +0100 Subject: [PATCH 16/37] fix additional issues with filter macros --- detections/deprecated/domain_group_discovery_with_net.yml | 2 +- detections/deprecated/net_localgroup_discovery.yml | 2 +- ...via_net.yml => windows_domain_group_discovery_via_net.yml} | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) rename detections/endpoint/{windows_group_discovery_via_net.yml => windows_domain_group_discovery_via_net.yml} (96%) diff --git a/detections/deprecated/domain_group_discovery_with_net.yml b/detections/deprecated/domain_group_discovery_with_net.yml index 1b1c2d1460..3044000b93 100644 --- a/detections/deprecated/domain_group_discovery_with_net.yml +++ b/detections/deprecated/domain_group_discovery_with_net.yml @@ -5,7 +5,7 @@ date: '2025-01-13' author: Mauricio Velazco, Splunk status: deprecated type: Hunting -description: This search has been deprecated in favour of the more generic analytic "Domain Group Discovery With Net". The following analytic identifies the execution of `net.exe` with command-line arguments used to query domain groups, specifically `group /domain`. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant as it indicates potential reconnaissance efforts by adversaries to enumerate domain groups, which is a common step in Active Directory Discovery. If confirmed malicious, this behavior could allow attackers to gain insights into the domain structure, aiding in further attacks such as privilege escalation or lateral movement. +description: This search has been deprecated in favour of the more generic analytic "c5c8e0f3-147a-43da-bf04-4cfaec27dc44". The following analytic identifies the execution of `net.exe` with command-line arguments used to query domain groups, specifically `group /domain`. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant as it indicates potential reconnaissance efforts by adversaries to enumerate domain groups, which is a common step in Active Directory Discovery. If confirmed malicious, this behavior could allow attackers to gain insights into the domain structure, aiding in further attacks such as privilege escalation or lateral movement. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 diff --git a/detections/deprecated/net_localgroup_discovery.yml b/detections/deprecated/net_localgroup_discovery.yml index dbf16c85fa..b0cd79f36d 100644 --- a/detections/deprecated/net_localgroup_discovery.yml +++ b/detections/deprecated/net_localgroup_discovery.yml @@ -5,7 +5,7 @@ date: '2025-01-13' author: Michael Haag, Splunk status: deprecated type: Hunting -description: This search has been deprecated in favour of the more generic analytic "Domain Group Discovery With Net". The following analytic detects the execution of the `net localgroup` command, which is used to enumerate local group memberships on a system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it can indicate an attacker is gathering information about local group memberships, potentially to identify privileged accounts. If confirmed malicious, this behavior could lead to further privilege escalation or lateral movement within the network. +description: This search has been deprecated in favour of the more generic analytic "c5c8e0f3-147a-43da-bf04-4cfaec27dc44". The following analytic detects the execution of the `net localgroup` command, which is used to enumerate local group memberships on a system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it can indicate an attacker is gathering information about local group memberships, potentially to identify privileged accounts. If confirmed malicious, this behavior could lead to further privilege escalation or lateral movement within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 diff --git a/detections/endpoint/windows_group_discovery_via_net.yml b/detections/endpoint/windows_domain_group_discovery_via_net.yml similarity index 96% rename from detections/endpoint/windows_group_discovery_via_net.yml rename to detections/endpoint/windows_domain_group_discovery_via_net.yml index 10cb8b78e2..b917407589 100644 --- a/detections/endpoint/windows_group_discovery_via_net.yml +++ b/detections/endpoint/windows_domain_group_discovery_via_net.yml @@ -1,4 +1,4 @@ -name: Domain Group Discovery With Net +name: Windows Domain Group Discovery Via Net id: c5c8e0f3-147a-43da-bf04-4cfaec27dc44 version: 1 date: '2025-01-13' @@ -10,7 +10,7 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND (Processes.process=*group* AND Processes.process=*/do*) AND NOT (Processes.process="*/add" OR Processes.process="*/delete") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_group_discovery_with_net_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND (Processes.process=*group* AND Processes.process=*/do*) AND NOT (Processes.process="*/add" OR Processes.process="*/delete") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_domain_group_discovery_via_net_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: From 04d10316f80578359e5ea93191e17373f8752b39 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Mon, 20 Jan 2025 11:02:07 +0100 Subject: [PATCH 17/37] upgrade analytics version --- detections/endpoint/linux_auditd_add_user_account.yml | 4 ++-- detections/endpoint/linux_auditd_add_user_account_type.yml | 4 ++-- detections/endpoint/linux_auditd_at_application_execution.yml | 4 ++-- detections/endpoint/linux_auditd_auditd_service_stop.yml | 4 ++-- .../endpoint/linux_auditd_change_file_owner_to_root.yml | 4 ++-- ...nux_auditd_data_transfer_size_limits_via_split_syscall.yml | 4 ++-- detections/endpoint/linux_auditd_dd_file_overwrite.yml | 4 ++-- .../linux_auditd_disable_or_modify_system_firewall.yml | 4 ++-- detections/endpoint/linux_auditd_doas_conf_file_creation.yml | 4 ++-- detections/endpoint/linux_auditd_doas_tool_execution.yml | 4 ++-- .../endpoint/linux_auditd_edit_cron_table_parameter.yml | 4 ++-- ...ux_auditd_install_kernel_module_using_modprobe_utility.yml | 4 ++-- .../linux_auditd_kernel_module_using_rmmod_utility.yml | 4 ++-- .../endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml | 4 ++-- detections/endpoint/linux_auditd_osquery_service_stop.yml | 4 ++-- ...td_possible_access_or_modification_of_sshd_config_file.yml | 4 ++-- .../linux_auditd_possible_access_to_credential_files.yml | 4 ++-- .../endpoint/linux_auditd_possible_access_to_sudoers_file.yml | 4 ++-- .../endpoint/linux_auditd_preload_hijack_via_preload_file.yml | 4 ++-- detections/endpoint/linux_auditd_service_restarted.yml | 4 ++-- detections/endpoint/linux_auditd_service_started.yml | 4 ++-- .../endpoint/linux_auditd_setuid_using_chmod_utility.yml | 4 ++-- detections/endpoint/linux_auditd_shred_overwrite_command.yml | 4 ++-- detections/endpoint/linux_auditd_sudo_or_su_execution.yml | 4 ++-- detections/endpoint/linux_auditd_sysmon_service_stop.yml | 4 ++-- .../linux_auditd_system_network_configuration_discovery.yml | 4 ++-- .../linux_auditd_unix_shell_configuration_modification.yml | 4 ++-- detections/endpoint/linux_auditd_whoami_user_discovery.yml | 4 ++-- detections/endpoint/microsoft_defender_atp_alerts.yml | 4 ++-- detections/endpoint/microsoft_defender_incident_alerts.yml | 4 ++-- .../endpoint/print_spooler_failed_to_load_a_plug_in.yml | 4 ++-- .../endpoint/windows_domain_admin_impersonation_indicator.yml | 4 ++-- 32 files changed, 64 insertions(+), 64 deletions(-) diff --git a/detections/endpoint/linux_auditd_add_user_account.yml b/detections/endpoint/linux_auditd_add_user_account.yml index aca8ced3d0..5a3a149d50 100644 --- a/detections/endpoint/linux_auditd_add_user_account.yml +++ b/detections/endpoint/linux_auditd_add_user_account.yml @@ -1,7 +1,7 @@ name: Linux Auditd Add User Account id: aae66dc0-74b4-4807-b480-b35f8027abb4 -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-20' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_auditd_add_user_account_type.yml b/detections/endpoint/linux_auditd_add_user_account_type.yml index 6080f61072..ae806eb40b 100644 --- a/detections/endpoint/linux_auditd_add_user_account_type.yml +++ b/detections/endpoint/linux_auditd_add_user_account_type.yml @@ -1,7 +1,7 @@ name: Linux Auditd Add User Account Type id: f8c325ea-506e-4105-8ccf-da1492e90115 -version: 3 -date: '2024-09-30' +version: 4 +date: '2025-01-20' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_auditd_at_application_execution.yml b/detections/endpoint/linux_auditd_at_application_execution.yml index 63a79584b6..aebd078139 100644 --- a/detections/endpoint/linux_auditd_at_application_execution.yml +++ b/detections/endpoint/linux_auditd_at_application_execution.yml @@ -1,7 +1,7 @@ name: Linux Auditd At Application Execution id: 9f306e0a-1c36-469e-8892-968ca12470dd -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-20' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_auditd_auditd_service_stop.yml b/detections/endpoint/linux_auditd_auditd_service_stop.yml index 2f3a32c0b1..515e0c4417 100644 --- a/detections/endpoint/linux_auditd_auditd_service_stop.yml +++ b/detections/endpoint/linux_auditd_auditd_service_stop.yml @@ -1,7 +1,7 @@ name: Linux Auditd Auditd Service Stop id: 6cb9d0e1-eabe-41de-a11a-5efade354e9d -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-20' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_auditd_change_file_owner_to_root.yml b/detections/endpoint/linux_auditd_change_file_owner_to_root.yml index 07c7501efb..89247b3e0a 100644 --- a/detections/endpoint/linux_auditd_change_file_owner_to_root.yml +++ b/detections/endpoint/linux_auditd_change_file_owner_to_root.yml @@ -1,7 +1,7 @@ name: Linux Auditd Change File Owner To Root id: 7b87c556-0ca4-47e0-b84c-6cd62a0a3e90 -version: 3 -date: '2024-10-17' +version: 4 +date: '2025-01-20' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml index b1edc0205e..58925c0293 100644 --- a/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml +++ b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml @@ -1,7 +1,7 @@ name: Linux Auditd Data Transfer Size Limits Via Split Syscall id: c03d4a49-cf9d-435b-86e9-c6f8c9b6c42e -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-20' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_auditd_dd_file_overwrite.yml b/detections/endpoint/linux_auditd_dd_file_overwrite.yml index 4ed51e4a3f..2c3e57ad31 100644 --- a/detections/endpoint/linux_auditd_dd_file_overwrite.yml +++ b/detections/endpoint/linux_auditd_dd_file_overwrite.yml @@ -1,7 +1,7 @@ name: Linux Auditd Dd File Overwrite id: d1b74420-4cea-4752-a123-9b40dfcca49a -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-20' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml b/detections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml index 9a72aac6c5..9397655d75 100644 --- a/detections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml +++ b/detections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml @@ -1,7 +1,7 @@ name: Linux Auditd Disable Or Modify System Firewall id: 07052556-d4b5-4bae-89aa-cbdc1bb11250 -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-20' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_auditd_doas_conf_file_creation.yml b/detections/endpoint/linux_auditd_doas_conf_file_creation.yml index d8366159cb..0e3c174dfc 100644 --- a/detections/endpoint/linux_auditd_doas_conf_file_creation.yml +++ b/detections/endpoint/linux_auditd_doas_conf_file_creation.yml @@ -1,7 +1,7 @@ name: Linux Auditd Doas Conf File Creation id: 61059783-574b-40d2-ac2f-69b898afd6b4 -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-20' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/linux_auditd_doas_tool_execution.yml b/detections/endpoint/linux_auditd_doas_tool_execution.yml index 72bec21b53..54af2e3220 100644 --- a/detections/endpoint/linux_auditd_doas_tool_execution.yml +++ b/detections/endpoint/linux_auditd_doas_tool_execution.yml @@ -1,7 +1,7 @@ name: Linux Auditd Doas Tool Execution id: 91b8ca78-f205-4826-a3ef-cd8d6b24e97b -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-20' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml b/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml index 3369a4c80b..d97f39e47d 100644 --- a/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml +++ b/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml @@ -1,7 +1,7 @@ name: Linux Auditd Edit Cron Table Parameter id: f4bb7321-7e64-4d1e-b1aa-21f8b019a91f -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-20' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/linux_auditd_install_kernel_module_using_modprobe_utility.yml b/detections/endpoint/linux_auditd_install_kernel_module_using_modprobe_utility.yml index 7bd5b274f9..0fc792ad0f 100644 --- a/detections/endpoint/linux_auditd_install_kernel_module_using_modprobe_utility.yml +++ b/detections/endpoint/linux_auditd_install_kernel_module_using_modprobe_utility.yml @@ -1,7 +1,7 @@ name: Linux Auditd Install Kernel Module Using Modprobe Utility id: 95165985-ace5-4d42-9c42-93a89a5af901 -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-20' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml b/detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml index f401ae1c76..387d6a2b66 100644 --- a/detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml +++ b/detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml @@ -1,7 +1,7 @@ name: Linux Auditd Kernel Module Using Rmmod Utility id: 31810b7a-0abe-42be-a210-0dec8106afee -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-20' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml b/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml index b018346985..e8b98b6ce7 100644 --- a/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml +++ b/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml @@ -1,7 +1,7 @@ name: Linux Auditd Nopasswd Entry In Sudoers File id: 651df959-ad17-4b73-a323-90cb96d5fa1b -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-20' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_auditd_osquery_service_stop.yml b/detections/endpoint/linux_auditd_osquery_service_stop.yml index 5ef5f252b7..a71971586d 100644 --- a/detections/endpoint/linux_auditd_osquery_service_stop.yml +++ b/detections/endpoint/linux_auditd_osquery_service_stop.yml @@ -1,7 +1,7 @@ name: Linux Auditd Osquery Service Stop id: 0c320fea-6e87-4b99-a884-74d09d4b655d -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-20' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml b/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml index 1e6024027c..c583a1d8a2 100644 --- a/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml +++ b/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml @@ -1,7 +1,7 @@ name: Linux Auditd Possible Access Or Modification Of Sshd Config File id: acb3ea33-70f7-47aa-b335-643b3aebcb2f -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-20' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml b/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml index 3a4a2cfde7..a9a968eb44 100644 --- a/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml +++ b/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml @@ -1,7 +1,7 @@ name: Linux Auditd Possible Access To Credential Files id: 0419cb7a-57ea-467b-974f-77c303dfe2a3 -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-20' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml b/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml index 6dfa906169..bb328b6fed 100644 --- a/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml +++ b/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml @@ -1,7 +1,7 @@ name: Linux Auditd Possible Access To Sudoers File id: 8be88f46-f7e8-4ae6-b15e-cf1b13392834 -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-20' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml b/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml index 0392e6f344..174465cce2 100644 --- a/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml +++ b/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml @@ -1,7 +1,7 @@ name: Linux Auditd Preload Hijack Via Preload File id: c1b7abca-55cb-4a39-bdfb-e28c1c12745f -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-20' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/linux_auditd_service_restarted.yml b/detections/endpoint/linux_auditd_service_restarted.yml index 827bb36175..25f7969556 100644 --- a/detections/endpoint/linux_auditd_service_restarted.yml +++ b/detections/endpoint/linux_auditd_service_restarted.yml @@ -1,7 +1,7 @@ name: Linux Auditd Service Restarted id: 8eb3e858-18d3-44a4-a514-52cfa39f154a -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-20' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_auditd_service_started.yml b/detections/endpoint/linux_auditd_service_started.yml index 09f64c1243..82e6f41015 100644 --- a/detections/endpoint/linux_auditd_service_started.yml +++ b/detections/endpoint/linux_auditd_service_started.yml @@ -1,7 +1,7 @@ name: Linux Auditd Service Started id: b5eed06d-5c97-4092-a3a1-fa4b7e77c71a -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-20' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/linux_auditd_setuid_using_chmod_utility.yml b/detections/endpoint/linux_auditd_setuid_using_chmod_utility.yml index bf1be4bd81..b299839343 100644 --- a/detections/endpoint/linux_auditd_setuid_using_chmod_utility.yml +++ b/detections/endpoint/linux_auditd_setuid_using_chmod_utility.yml @@ -1,7 +1,7 @@ name: Linux Auditd Setuid Using Chmod Utility id: 8230c407-1b47-4d95-ac2e-718bd6381386 -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-20' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_auditd_shred_overwrite_command.yml b/detections/endpoint/linux_auditd_shred_overwrite_command.yml index 20e89b1760..76ad5761a6 100644 --- a/detections/endpoint/linux_auditd_shred_overwrite_command.yml +++ b/detections/endpoint/linux_auditd_shred_overwrite_command.yml @@ -1,7 +1,7 @@ name: Linux Auditd Shred Overwrite Command id: ce2bde4d-a1d4-4452-8c87-98440e5adfb3 -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-20' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/linux_auditd_sudo_or_su_execution.yml b/detections/endpoint/linux_auditd_sudo_or_su_execution.yml index 7e6a5cadd3..bdde5358db 100644 --- a/detections/endpoint/linux_auditd_sudo_or_su_execution.yml +++ b/detections/endpoint/linux_auditd_sudo_or_su_execution.yml @@ -1,7 +1,7 @@ name: Linux Auditd Sudo Or Su Execution id: 817a5c89-5b92-4818-a22d-aa35e1361afe -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-20' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_auditd_sysmon_service_stop.yml b/detections/endpoint/linux_auditd_sysmon_service_stop.yml index f1c42a5312..ac9a5c1ba7 100644 --- a/detections/endpoint/linux_auditd_sysmon_service_stop.yml +++ b/detections/endpoint/linux_auditd_sysmon_service_stop.yml @@ -1,7 +1,7 @@ name: Linux Auditd Sysmon Service Stop id: 20901256-633a-40de-8753-7b88811a460f -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-20' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/linux_auditd_system_network_configuration_discovery.yml b/detections/endpoint/linux_auditd_system_network_configuration_discovery.yml index 0ed6958042..202acd5902 100644 --- a/detections/endpoint/linux_auditd_system_network_configuration_discovery.yml +++ b/detections/endpoint/linux_auditd_system_network_configuration_discovery.yml @@ -1,7 +1,7 @@ name: Linux Auditd System Network Configuration Discovery id: 5db16825-81bd-4923-a8d6-d6a13a59832a -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-20' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml b/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml index 6957b46914..0132fb0852 100644 --- a/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml +++ b/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml @@ -1,7 +1,7 @@ name: Linux Auditd Unix Shell Configuration Modification id: 66f737c6-3f7f-46ed-8e9b-cc0e5bf01f04 -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-20' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/linux_auditd_whoami_user_discovery.yml b/detections/endpoint/linux_auditd_whoami_user_discovery.yml index ca49aa1428..f8fa35e89b 100644 --- a/detections/endpoint/linux_auditd_whoami_user_discovery.yml +++ b/detections/endpoint/linux_auditd_whoami_user_discovery.yml @@ -1,7 +1,7 @@ name: Linux Auditd Whoami User Discovery id: d1ff2e22-310d-446a-80b3-faedaa7b3b52 -version: 2 -date: '2024-09-30' +version: 3 +date: '2025-01-20' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/microsoft_defender_atp_alerts.yml b/detections/endpoint/microsoft_defender_atp_alerts.yml index 7afd85785e..b01e3965c4 100644 --- a/detections/endpoint/microsoft_defender_atp_alerts.yml +++ b/detections/endpoint/microsoft_defender_atp_alerts.yml @@ -1,7 +1,7 @@ name: Microsoft Defender ATP Alerts id: 38f034ed-1598-46c8-95e8-14edf05fdf5d -version: 1 -date: '2024-10-30' +version: 2 +date: '2025-01-20' author: Bryan Pluta, Bhavin Patel, Splunk status: production type: TTP diff --git a/detections/endpoint/microsoft_defender_incident_alerts.yml b/detections/endpoint/microsoft_defender_incident_alerts.yml index 986beed0d1..bbf690276f 100644 --- a/detections/endpoint/microsoft_defender_incident_alerts.yml +++ b/detections/endpoint/microsoft_defender_incident_alerts.yml @@ -1,7 +1,7 @@ name: Microsoft Defender Incident Alerts id: 13435b55-afd8-46d4-9045-7d5457f430a5 -version: 1 -date: '2024-10-30' +version: 2 +date: '2025-01-20' author: Bryan Pluta, Bhavin Patel, Splunk status: production type: TTP diff --git a/detections/endpoint/print_spooler_failed_to_load_a_plug_in.yml b/detections/endpoint/print_spooler_failed_to_load_a_plug_in.yml index 30eeab74ba..509c62f4b1 100644 --- a/detections/endpoint/print_spooler_failed_to_load_a_plug_in.yml +++ b/detections/endpoint/print_spooler_failed_to_load_a_plug_in.yml @@ -1,7 +1,7 @@ name: Print Spooler Failed to Load a Plug-in id: 1adc9548-da7c-11eb-8f13-acde48001122 -version: 3 -date: '2024-09-30' +version: 4 +date: '2025-01-20' author: Mauricio Velazco, Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_domain_admin_impersonation_indicator.yml b/detections/endpoint/windows_domain_admin_impersonation_indicator.yml index f2f62cc86d..1f4c9d8bfa 100644 --- a/detections/endpoint/windows_domain_admin_impersonation_indicator.yml +++ b/detections/endpoint/windows_domain_admin_impersonation_indicator.yml @@ -1,7 +1,7 @@ name: Windows Domain Admin Impersonation Indicator id: 10381f93-6d38-470a-9c30-d25478e3bd3f -version: '5' -date: '2024-11-28' +version: 6 +date: '2025-01-20' author: Mauricio Velazco, Splunk status: production type: TTP From 548deb0b4b9b93a7a38324799114873c8b3a7e5c Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Mon, 20 Jan 2025 15:11:16 +0100 Subject: [PATCH 18/37] update logic to match tests --- ...covery_via_net.yml => windows_group_discovery_via_net.yml} | 4 ++-- .../endpoint/windows_network_connection_discovery_via_net.yml | 4 ++-- .../endpoint/windows_password_policy_discovery_with_net.yml | 4 ++-- .../windows_sensitive_registry_hive_dump_via_commandline.yml | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) rename detections/endpoint/{windows_domain_group_discovery_via_net.yml => windows_group_discovery_via_net.yml} (87%) diff --git a/detections/endpoint/windows_domain_group_discovery_via_net.yml b/detections/endpoint/windows_group_discovery_via_net.yml similarity index 87% rename from detections/endpoint/windows_domain_group_discovery_via_net.yml rename to detections/endpoint/windows_group_discovery_via_net.yml index b917407589..f63eadc65a 100644 --- a/detections/endpoint/windows_domain_group_discovery_via_net.yml +++ b/detections/endpoint/windows_group_discovery_via_net.yml @@ -1,4 +1,4 @@ -name: Windows Domain Group Discovery Via Net +name: Windows Group Discovery Via Net id: c5c8e0f3-147a-43da-bf04-4cfaec27dc44 version: 1 date: '2025-01-13' @@ -10,7 +10,7 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND (Processes.process=*group* AND Processes.process=*/do*) AND NOT (Processes.process="*/add" OR Processes.process="*/delete") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_domain_group_discovery_via_net_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` Processes.process="*group*" AND NOT (Processes.process="*/add" OR Processes.process="*/delete") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_group_discovery_via_net_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: diff --git a/detections/endpoint/windows_network_connection_discovery_via_net.yml b/detections/endpoint/windows_network_connection_discovery_via_net.yml index 61e696275a..7f10332140 100644 --- a/detections/endpoint/windows_network_connection_discovery_via_net.yml +++ b/detections/endpoint/windows_network_connection_discovery_via_net.yml @@ -5,12 +5,12 @@ date: '2025-01-13' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic identifies the execution of `net.exe` or `net1.exe` with command-line arguments used to list network connections on a compromised system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential network reconnaissance by adversaries or Red Teams, aiming to gather situational awareness and Active Directory information. If confirmed malicious, this behavior could allow attackers to map the network, identify critical assets, and plan further attacks, potentially leading to data exfiltration or lateral movement. +description: The following analytic identifies the execution of `net.exe` with command-line arguments used to list network connections on a compromised system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential network reconnaissance by adversaries or Red Teams, aiming to gather situational awareness and Active Directory information. If confirmed malicious, this behavior could allow attackers to map the network, identify critical assets, and plan further attacks, potentially leading to data exfiltration or lateral movement. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND (Processes.process=*use) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_network_connection_discovery_via_net_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="net.exe" OR Processes.original_file_name="net.exe") AND (Processes.process=*use) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_network_connection_discovery_via_net_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: diff --git a/detections/endpoint/windows_password_policy_discovery_with_net.yml b/detections/endpoint/windows_password_policy_discovery_with_net.yml index d85bbd0440..e2e6de41f3 100644 --- a/detections/endpoint/windows_password_policy_discovery_with_net.yml +++ b/detections/endpoint/windows_password_policy_discovery_with_net.yml @@ -2,7 +2,7 @@ name: Windows Password Policy Discovery with Net id: 09336538-065a-11ec-8665-acde48001122 version: 6 date: '2025-01-13' -author: Teoderick Contreras, Mauricio Velazco, Splunk +author: Teoderick Contreras, Mauricio Velazco, Nasreddine Bencherchali, Splunk status: production type: Hunting description: The following analytic identifies the execution of `net.exe` with command line arguments aimed at obtaining the computer or domain password policy. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to gather information about Active Directory password policies. If confirmed malicious, this behavior could allow attackers to understand password complexity requirements, aiding in brute-force or password-guessing attacks, ultimately compromising user accounts and gaining unauthorized access to the network. @@ -10,7 +10,7 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND Processes.process = "*accounts" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_password_policy_discovery_with_net_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND Processes.process = "*accounts*" AND Processes.process NOT IN ("*/FORCELOGOFF*", "*/MINPWLEN*", "*/MAXPWAGE*", "*/MINPWAGE*", "*/UNIQUEPW*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_password_policy_discovery_with_net_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: diff --git a/detections/endpoint/windows_sensitive_registry_hive_dump_via_commandline.yml b/detections/endpoint/windows_sensitive_registry_hive_dump_via_commandline.yml index 777938da61..97db28270b 100644 --- a/detections/endpoint/windows_sensitive_registry_hive_dump_via_commandline.yml +++ b/detections/endpoint/windows_sensitive_registry_hive_dump_via_commandline.yml @@ -10,7 +10,7 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where ((`process_reg` AND (Processes.process=*save* OR Processes.process=*export*)) OR (`process_regedit` Processes.process IN ("*/E *", "*-E *"))) AND (Processes.process="*HKEY_LOCAL_MACHINE*" OR Processes.process="*HKLM*") AND (Processes.process="*\sam*" OR Processes.process="*\system*" OR Processes.process="*\security*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_sensitive_registry_hive_dump_via_commandline_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where ((`process_reg` Processes.process IN ("*save*", "*export*")) OR (`process_regedit` Processes.process IN ("*/E *", "*-E *"))) AND Processes.process IN ("*HKEY_LOCAL_MACHINE*", "*HKLM*") AND Processes.process IN ("*\sam*", "*\system*", "*\security*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_sensitive_registry_hive_dump_via_commandline_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: It is possible some agent based products will generate false positives. Filter as needed. references: From 0d976cfffe74113f81fb2baa212e518a9b5c5aca Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Mon, 20 Jan 2025 16:42:07 +0100 Subject: [PATCH 19/37] additional updates and fixes --- ...work_configuration_discovery_activity.yml} | 20 +++++++++---------- ...te_local_administrator_account_via_net.yml | 2 +- ...s_network_connection_discovery_via_net.yml | 4 ++-- ...ows_network_share_interaction_via_net.yml} | 16 ++++++++------- ..._network_configuration_discovery_tools.yml | 13 ++---------- 5 files changed, 24 insertions(+), 31 deletions(-) rename detections/endpoint/{detect_processes_used_for_system_network_configuration_discovery.yml => potential_system_network_configuration_discovery_activity.yml} (82%) rename detections/endpoint/{windows_network_share_interaction_with_net.yml => windows_network_share_interaction_via_net.yml} (67%) diff --git a/detections/endpoint/detect_processes_used_for_system_network_configuration_discovery.yml b/detections/endpoint/potential_system_network_configuration_discovery_activity.yml similarity index 82% rename from detections/endpoint/detect_processes_used_for_system_network_configuration_discovery.yml rename to detections/endpoint/potential_system_network_configuration_discovery_activity.yml index 2c66b755db..8735dc9e4f 100644 --- a/detections/endpoint/detect_processes_used_for_system_network_configuration_discovery.yml +++ b/detections/endpoint/potential_system_network_configuration_discovery_activity.yml @@ -1,16 +1,16 @@ -name: Detect processes used for System Network Configuration Discovery +name: Potential System Network Configuration Discovery Activity id: a51bfe1a-94f0-48cc-b1e4-16ae10145893 -version: 5 -date: '2024-09-30' +version: 6 +date: '2025-01-20' author: Bhavin Patel, Splunk status: production -type: TTP -description: The following analytic identifies the rapid execution of processes used for system network configuration discovery on an endpoint. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process GUIDs, names, parent processes, and command-line executions. This activity is significant as it may indicate an attacker attempting to map the network, which is a common precursor to lateral movement or further exploitation. If confirmed malicious, this behavior could allow an attacker to gain insights into the network topology, identify critical systems, and plan subsequent attacks, potentially leading to data exfiltration or system compromise. +type: Anomaly +description: The following analytic identifies the rapid execution of processes used for system network configuration discovery on an endpoint. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process GUIDs, names, parent processes, and command-line executions. This activity can be significant as it may indicate an attacker attempting to map the network, which is a common precursor to lateral movement or further exploitation. If confirmed malicious, this behavior could allow an attacker to gain insights into the network topology, identify critical systems, and plan subsequent attacks, potentially leading to data exfiltration or system compromise. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where NOT Processes.user IN ("","unknown") by Processes.dest Processes.process_name Processes.parent_process_name Processes.user _time | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | search `system_network_configuration_discovery_tools` | transaction dest connected=false maxpause=5m |where eventcount>=5 | table firstTime lastTime dest user process_name process parent_process parent_process_name eventcount | `detect_processes_used_for_system_network_configuration_discovery_filter`' +search: '| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where NOT Processes.user IN ("","unknown") by Processes.dest Processes.process_name Processes.parent_process_name Processes.user _time | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | search `system_network_configuration_discovery_tools` | transaction dest connected=false maxpause=5m |where eventcount>=5 | table firstTime lastTime dest user process_name process parent_process parent_process_name eventcount | `potential_system_network_configuration_discovery_activity_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: It is uncommon for normal users to execute a series of commands used for network discovery. System administrators often use scripts to execute these commands. These can generate false positives. references: [] @@ -27,9 +27,9 @@ tags: analytic_story: - Unusual Processes asset_type: Endpoint - confidence: 80 - impact: 40 - message: An instance of $parent_process_name$ spawning multiple $process_name$ was identified on endpoint $dest$ by user $user$ typically not a normal behavior of the process. + confidence: 50 + impact: 50 + message: An instance of $parent_process_name$ spawning multiple network discovery processes such as $process_name$ was identified on endpoint $dest$ by user $user$. mitre_attack_id: - T1016 observable: @@ -66,7 +66,7 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 32 + risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_create_local_administrator_account_via_net.yml b/detections/endpoint/windows_create_local_administrator_account_via_net.yml index 118809b4c7..8d655f6725 100644 --- a/detections/endpoint/windows_create_local_administrator_account_via_net.yml +++ b/detections/endpoint/windows_create_local_administrator_account_via_net.yml @@ -10,7 +10,7 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count values(Processes.user) as user values(Processes.parent_process) as parent_process values(parent_process_name) as parent_process_name min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND Processes.process=*/add* AND (Processes.process IN ("*administrators*", "*administratoren*", "*administrateurs*", "*administrador*", "*amministratori*", "*administratorer*", "*Rendszergazda*", "*Администратор*", "*Administratör*") by Processes.process Processes.process_name Processes.parent_process_name Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_create_local_administrator_account_via_net_filter`' +search: '| tstats `security_content_summariesonly` count values(Processes.user) as user values(Processes.parent_process) as parent_process values(parent_process_name) as parent_process_name min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND Processes.process=*/add* AND Processes.process IN ("*administrators*", "*administratoren*", "*administrateurs*", "*administrador*", "*amministratori*", "*administratorer*", "*Rendszergazda*", "*Администратор*", "*Administratör*") by Processes.process Processes.process_name Processes.parent_process_name Processes.dest Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_create_local_administrator_account_via_net_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: Administrators often leverage net.exe to create admin accounts. references: [] diff --git a/detections/endpoint/windows_network_connection_discovery_via_net.yml b/detections/endpoint/windows_network_connection_discovery_via_net.yml index 7f10332140..cdba356391 100644 --- a/detections/endpoint/windows_network_connection_discovery_via_net.yml +++ b/detections/endpoint/windows_network_connection_discovery_via_net.yml @@ -5,12 +5,12 @@ date: '2025-01-13' author: Mauricio Velazco, Splunk status: production type: Hunting -description: The following analytic identifies the execution of `net.exe` with command-line arguments used to list network connections on a compromised system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential network reconnaissance by adversaries or Red Teams, aiming to gather situational awareness and Active Directory information. If confirmed malicious, this behavior could allow attackers to map the network, identify critical assets, and plan further attacks, potentially leading to data exfiltration or lateral movement. +description: The following analytic identifies the execution of `net.exe` with command-line arguments used to list or display information about computer connections. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity can be significant as it indicates potential network reconnaissance by adversaries or Red Teams, aiming to gather situational awareness and Active Directory information. If confirmed malicious, this behavior could allow attackers to map the network, identify critical assets, and plan further attacks, potentially leading to data exfiltration or lateral movement. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="net.exe" OR Processes.original_file_name="net.exe") AND (Processes.process=*use) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_network_connection_discovery_via_net_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (`process_net` OR (Processes.process_name="net.exe" OR Processes.original_file_name="net.exe")) AND (Processes.process=*use) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_network_connection_discovery_via_net_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: diff --git a/detections/endpoint/windows_network_share_interaction_with_net.yml b/detections/endpoint/windows_network_share_interaction_via_net.yml similarity index 67% rename from detections/endpoint/windows_network_share_interaction_with_net.yml rename to detections/endpoint/windows_network_share_interaction_via_net.yml index e526666d9d..db23e8ba6e 100644 --- a/detections/endpoint/windows_network_share_interaction_with_net.yml +++ b/detections/endpoint/windows_network_share_interaction_via_net.yml @@ -1,16 +1,18 @@ -name: Windows Network Share Interaction With Net +name: Windows Network Share Interaction Via Net id: 4dc3951f-b3f8-4f46-b412-76a483f72277 -version: 3 -date: '2024-11-26' +version: 4 +date: '2025-01-20' author: Dean Luxton status: production -type: TTP +type: Anomaly data_source: - Sysmon EventID 1 -description: This analytic detects network share discovery and collection activities performed on Windows systems using the Net command. Attackers often use network share discovery to identify accessible shared resources within a network, which can be a precursor to privilege escalation or data exfiltration. By monitoring Windows Event Logs for the usage of the Net command to list and interact with network shares, this detection helps identify potential reconnaissance and collection activities. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.user_category) as user_category values(Processes.user_bunit) as user_bunit FROM datamodel=Endpoint.Processes WHERE `process_net` BY Processes.user Processes.dest Processes.process_exec Processes.parent_process_exec Processes.process Processes.parent_process | `drop_dm_object_name(Processes)` | regex process="net[\s\.ex1]+view|net[\s\.ex1]+share|net[\s\.ex1]+use\s" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_network_share_interaction_with_net_filter`' +- Windows Event Log Security 4688 +- CrowdStrike ProcessRollup2 +description: The following analytic identifies network share discovery and collection activities performed on Windows systems using the Net command. Attackers often use network share discovery to identify accessible shared resources within a network, which can be a precursor to privilege escalation or data exfiltration. By monitoring Windows Event Logs for the usage of the Net command to list and interact with network shares, this detection helps identify potential reconnaissance and collection activities. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes WHERE (`process_net` OR (Processes.process_name="net.exe" OR Processes.original_file_name="net.exe")) AND Processes.process IN ("*use *", "*view *") BY Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_network_share_interaction_via_net_filter`' how_to_implement: The detection is based on data originating from either Endpoint Detection and Response (EDR) telemetry or EventCode 4688 with process command line logging enabled. These sources provide security-related telemetry from the endpoints. To implement this search, you must ingest logs that contain the process name, parent process, and complete command-line executions. These logs must be mapped to the Splunk Common Information Model (CIM) to normalize the field names capture the data within the datamodel schema. -known_false_positives: Unknown +known_false_positives: Administrators or power users may use this command. Additional filters needs to be applied. references: - https://attack.mitre.org/techniques/T1135/ drilldown_searches: diff --git a/macros/system_network_configuration_discovery_tools.yml b/macros/system_network_configuration_discovery_tools.yml index 3f869e3af2..245c383f2d 100644 --- a/macros/system_network_configuration_discovery_tools.yml +++ b/macros/system_network_configuration_discovery_tools.yml @@ -1,12 +1,3 @@ -definition: (process_name= "arp.exe" OR process_name= "at.exe" OR process_name= "attrib.exe" - OR process_name= "cscript.exe" OR process_name= "dsquery.exe" OR process_name= "hostname.exe" - OR process_name= "ipconfig.exe" OR process_name= "mimikatz.exe" OR process_name= - "nbstat.exe" OR process_name= "net.exe" OR process_name= "netsh.exe" OR process_name= - "nslookup.exe" OR process_name= "ping.exe" OR process_name= "quser.exe" OR process_name= - "qwinsta.exe" OR process_name= "reg.exe" OR process_name= "runas.exe" OR process_name= - "sc.exe" OR process_name= "schtasks.exe" OR process_name= "ssh.exe" OR process_name= - "systeminfo.exe" OR process_name= "taskkill.exe" OR process_name= "telnet.exe" OR - process_name= "tracert.exe" OR process_name="wscript.exe" OR process_name= "xcopy.exe") -description: This macro is a list of process that can be used to discover the network - configuration +definition: (process_name="arp.exe" OR process_name="dsquery.exe" OR process_name="hostname.exe" OR process_name="ipconfig.exe" OR process_name="nbstat.exe" OR process_name="net.exe" OR process_name="netsh.exe" OR process_name="nslookup.exe" OR process_name= "ping.exe" OR process_name= "quser.exe" OR process_name="qwinsta.exe" OR process_name= "telnet.exe" OR process_name= "tracert.exe") +description: This macro is a list of processes that can be used to discover the network configuration name: system_network_configuration_discovery_tools From ec6f2da84de77b92572362191b164cc628f8bfa4 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Mon, 20 Jan 2025 16:45:15 +0100 Subject: [PATCH 20/37] Update windows_password_policy_discovery_with_net.yml --- .../endpoint/windows_password_policy_discovery_with_net.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/windows_password_policy_discovery_with_net.yml b/detections/endpoint/windows_password_policy_discovery_with_net.yml index e2e6de41f3..1c79471ad6 100644 --- a/detections/endpoint/windows_password_policy_discovery_with_net.yml +++ b/detections/endpoint/windows_password_policy_discovery_with_net.yml @@ -10,7 +10,7 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND Processes.process = "*accounts*" AND Processes.process NOT IN ("*/FORCELOGOFF*", "*/MINPWLEN*", "*/MAXPWAGE*", "*/MINPWAGE*", "*/UNIQUEPW*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_password_policy_discovery_with_net_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND Processes.process = "*accounts*" AND NOT Processes.process IN ("*/FORCELOGOFF*", "*/MINPWLEN*", "*/MAXPWAGE*", "*/MINPWAGE*", "*/UNIQUEPW*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_password_policy_discovery_with_net_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: Administrators or power users may use this command for troubleshooting. references: From b3d58a6b4e301fd258318c3c7c29c5af575552f8 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Mon, 20 Jan 2025 17:43:32 +0100 Subject: [PATCH 21/37] update to pass tests --- .../windows_common_abused_cmd_shell_risk_behavior.yml | 6 +++--- .../endpoint/windows_network_share_interaction_via_net.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/detections/endpoint/windows_common_abused_cmd_shell_risk_behavior.yml b/detections/endpoint/windows_common_abused_cmd_shell_risk_behavior.yml index b96b349845..43e057c70d 100644 --- a/detections/endpoint/windows_common_abused_cmd_shell_risk_behavior.yml +++ b/detections/endpoint/windows_common_abused_cmd_shell_risk_behavior.yml @@ -1,13 +1,13 @@ name: Windows Common Abused Cmd Shell Risk Behavior id: e99fcc4f-c6b0-4443-aa2a-e3c85126ec9a -version: 3 -date: '2024-09-30' +version: 4 +date: '2025-01-20' author: Teoderick Contreras, Splunk status: production type: Correlation data_source: [] description: The following analytic identifies instances where four or more distinct detection analytics are associated with malicious command line behavior on a specific host. This detection leverages the Command Line Interface (CLI) data from various sources to identify suspicious activities. This behavior is significant as it often indicates attempts to execute malicious commands, access sensitive data, install backdoors, or perform other nefarious actions. If confirmed malicious, attackers could gain unauthorized control, exfiltrate information, escalate privileges, or launch further attacks within the network, leading to severe compromise. -search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where source IN ("*Cmdline Tool Not Executed In CMD Shell*", "*Windows System Network Config Discovery Display DNS*", "*Local Account Discovery With Wmic*", "*Net Localgroup Discovery*", "*Create local admin accounts using net exe*", "*Local Account Discovery with Net*", "*Icacls Deny Command*", "*ICACLS Grant Command*", "*Windows Proxy Via Netsh*", "*Processes launching netsh*", "*Disabling Firewall with Netsh*", "*Windows System Network Connections Discovery Netsh*", "*Network Connection Discovery With Arp*", "*Windows System Discovery Using ldap Nslookup*", "*Windows System Shutdown CommandLine*") by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 4 | `windows_common_abused_cmd_shell_risk_behavior_filter`' +search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where source IN ("*Windows Cmdline Tool Execution From Non-Shell Process*", "*Windows System Network Config Discovery Display DNS*", "*Local Account Discovery With Wmic*", "*Windows Group Discovery Via Net*", "*Windows Create Local Administrator Account Via Net*", "*Windows User Discovery Via Net*", "*Icacls Deny Command*", "*ICACLS Grant Command*", "*Windows Proxy Via Netsh*", "*Processes launching netsh*", "*Disabling Firewall with Netsh*", "*Windows System Network Connections Discovery Netsh*", "*Network Connection Discovery With Arp*", "*Windows System Discovery Using ldap Nslookup*", "*Windows System Shutdown CommandLine*") by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 4 | `windows_common_abused_cmd_shell_risk_behavior_filter`' how_to_implement: Splunk Enterprise Security is required to utilize this correlation. In addition, modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, but the number may need to be increased base on internal testing. In addition, based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance. known_false_positives: False positives will be present based on many factors. Tune the correlation as needed to reduce too many triggers. references: diff --git a/detections/endpoint/windows_network_share_interaction_via_net.yml b/detections/endpoint/windows_network_share_interaction_via_net.yml index db23e8ba6e..f8098110ef 100644 --- a/detections/endpoint/windows_network_share_interaction_via_net.yml +++ b/detections/endpoint/windows_network_share_interaction_via_net.yml @@ -10,7 +10,7 @@ data_source: - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 description: The following analytic identifies network share discovery and collection activities performed on Windows systems using the Net command. Attackers often use network share discovery to identify accessible shared resources within a network, which can be a precursor to privilege escalation or data exfiltration. By monitoring Windows Event Logs for the usage of the Net command to list and interact with network shares, this detection helps identify potential reconnaissance and collection activities. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes WHERE (`process_net` OR (Processes.process_name="net.exe" OR Processes.original_file_name="net.exe")) AND Processes.process IN ("*use *", "*view *") BY Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_network_share_interaction_via_net_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes WHERE (`process_net` OR (Processes.process_name="net.exe" OR Processes.original_file_name="net.exe")) AND Processes.process IN ("*use *", "*view*") BY Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_network_share_interaction_via_net_filter`' how_to_implement: The detection is based on data originating from either Endpoint Detection and Response (EDR) telemetry or EventCode 4688 with process command line logging enabled. These sources provide security-related telemetry from the endpoints. To implement this search, you must ingest logs that contain the process name, parent process, and complete command-line executions. These logs must be mapped to the Splunk Common Information Model (CIM) to normalize the field names capture the data within the datamodel schema. known_false_positives: Administrators or power users may use this command. Additional filters needs to be applied. references: From 3452135c58e07eafb4e600fabf1c35bb386289b3 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Mon, 20 Jan 2025 18:29:42 +0100 Subject: [PATCH 22/37] update more office analytics and others --- .../office_product_spawning_wmic.yml | 0 ...ffice_product_dropped_cab_or_inf_file.yml} | 38 ++++------------- ..._office_product_dropped_uncommon_file.yml} | 42 +++++-------------- ...s_office_product_loaded_mshtml_module.yml} | 10 ++--- ...s_office_product_loading_taskschd_dll.yml} | 18 ++++---- ...ndows_office_product_loading_vbe7_dll.yml} | 16 +++---- ...uct_spawned_child_process_for_download.yml | 2 +- macros/process_office_products.yml | 2 +- 8 files changed, 43 insertions(+), 85 deletions(-) rename detections/{endpoint => deprecated}/office_product_spawning_wmic.yml (100%) rename detections/endpoint/{office_product_writing_cab_or_inf.yml => windows_office_product_dropped_cab_or_inf_file.yml} (58%) rename detections/endpoint/{office_application_drop_executable.yml => windows_office_product_dropped_uncommon_file.yml} (53%) rename detections/endpoint/{mshtml_module_load_in_office_product.yml => windows_office_product_loaded_mshtml_module.yml} (80%) rename detections/endpoint/{office_document_creating_schedule_task.yml => windows_office_product_loading_taskschd_dll.yml} (78%) rename detections/endpoint/{office_document_executing_macro_code.yml => windows_office_product_loading_vbe7_dll.yml} (80%) diff --git a/detections/endpoint/office_product_spawning_wmic.yml b/detections/deprecated/office_product_spawning_wmic.yml similarity index 100% rename from detections/endpoint/office_product_spawning_wmic.yml rename to detections/deprecated/office_product_spawning_wmic.yml diff --git a/detections/endpoint/office_product_writing_cab_or_inf.yml b/detections/endpoint/windows_office_product_dropped_cab_or_inf_file.yml similarity index 58% rename from detections/endpoint/office_product_writing_cab_or_inf.yml rename to detections/endpoint/windows_office_product_dropped_cab_or_inf_file.yml index 936819f977..8610e49fab 100644 --- a/detections/endpoint/office_product_writing_cab_or_inf.yml +++ b/detections/endpoint/windows_office_product_dropped_cab_or_inf_file.yml @@ -1,38 +1,17 @@ -name: Office Product Writing cab or inf +name: Windows Office Product Dropped Cab or Inf File id: f48cd1d4-125a-11ec-a447-acde48001122 -version: '8' -date: '2024-11-28' +version: 9 +date: '2025-01-20' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects Office products writing .cab or .inf files, - indicative of CVE-2021-40444 exploitation. It leverages the Endpoint.Processes and - Endpoint.Filesystem data models to identify Office applications creating these file - types. This activity is significant as it may signal an attempt to load malicious - ActiveX controls and download remote payloads, a known attack vector. If confirmed - malicious, this could lead to remote code execution, allowing attackers to gain - control over the affected system and potentially compromise sensitive data. +description: The following analytic detects Office products writing .cab or .inf files, indicative of CVE-2021-40444 exploitation. It leverages the Endpoint.Processes and Endpoint.Filesystem data models to identify Office applications creating these file types. This activity is significant as it may signal an attempt to load malicious ActiveX controls and download remote payloads, a known attack vector. If confirmed malicious, this could lead to remote code execution, allowing attackers to gain control over the affected system and potentially compromise sensitive data. data_source: -- Sysmon EventID 1 +- Sysmon EventID 1 AND Sysmon EventID 11 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -- Sysmon EventID 11 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes - where Processes.process_name IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","wordpad.exe","wordview.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe","msaccess.exe") - by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest - Processes.process_guid | `drop_dm_object_name(Processes)` |rename process_guid as - proc_guid | join proc_guid, _time [ | tstats `security_content_summariesonly` count - min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem - where Filesystem.file_name IN ("*.inf","*.cab") by _time span=1h Filesystem.dest - Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid - | `drop_dm_object_name(Filesystem)` |rename process_guid as proc_guid | fields _time - dest file_create_time file_name file_path process_name process_path process proc_guid] - | dedup file_create_time | table dest, process_name, process, file_create_time, - file_name, file_path, proc_guid | `office_product_writing_cab_or_inf_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` - node. +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name IN `process_office_products` by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.process_guid | `drop_dm_object_name(Processes)` |rename process_guid as proc_guid | join proc_guid, _time [ | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*.cab", "*.inf") by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)` |rename process_guid as proc_guid | fields _time dest file_create_time file_name file_path process_name process_path process proc_guid] | dedup file_create_time | table dest, process_name, process, file_create_time, file_name, file_path, proc_guid | `windows_office_product_dropped_cab_or_inf_file_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node. known_false_positives: The query is structured in a way that `action` (read, create) is not defined. Review the results of this query, filter, and tune as necessary. It may be necessary to generate this query specific to your endpoint product. @@ -66,8 +45,7 @@ tags: cve: - CVE-2021-40444 impact: 80 - message: An instance of $process_name$ was identified on $dest$ writing an inf or - cab file to this. This is not typical of $process_name$. + message: An instance of $process_name$ was identified on $dest$ writing a .inf or .cab file. This is uncommon behavior and require further investigation. mitre_attack_id: - T1566 - T1566.001 diff --git a/detections/endpoint/office_application_drop_executable.yml b/detections/endpoint/windows_office_product_dropped_uncommon_file.yml similarity index 53% rename from detections/endpoint/office_application_drop_executable.yml rename to detections/endpoint/windows_office_product_dropped_uncommon_file.yml index 1f9bce4930..58ff81e65e 100644 --- a/detections/endpoint/office_application_drop_executable.yml +++ b/detections/endpoint/windows_office_product_dropped_uncommon_file.yml @@ -1,35 +1,15 @@ -name: Office Application Drop Executable +name: Windows Office Product Dropped Uncommon File id: 73ce70c4-146d-11ec-9184-acde48001122 -version: '7' -date: '2024-11-28' +version: 8 +date: '2025-01-20' author: Teoderick Contreras, Michael Haag, Splunk, TheLawsOfChaos, Github status: production -type: TTP -description: The following analytic detects Microsoft Office applications dropping - or creating executables or scripts on a Windows OS. It leverages process creation - and file system events from the Endpoint data model to identify Office applications - like Word or Excel generating files with extensions such as .exe, .dll, or .ps1. - This behavior is significant as it is often associated with spear-phishing attacks - where malicious files are dropped to compromise the host. If confirmed malicious, - this activity could lead to code execution, privilege escalation, or persistent - access, posing a severe threat to the environment. +type: Anomaly +description: The following analytic detects Microsoft Office applications dropping or creating executables or scripts on a Windows OS. It leverages process creation and file system events from the Endpoint data model to identify Office applications like Word or Excel generating files with extensions such as ".exe", ".dll", or ".ps1". This behavior is significant as it is often associated with spear-phishing attacks where malicious files are dropped to compromise the host. If confirmed malicious, this activity could lead to code execution, privilege escalation, or persistent access, posing a severe threat to the environment. data_source: - Sysmon EventID 1 AND Sysmon EventID 11 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes - where Processes.process_name IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","wordpad.exe","wordview.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe","msaccess.exe") - by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest - Processes.process_guid | `drop_dm_object_name(Processes)` |join process_guid, _time - [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*.exe","*.dll","*.pif","*.scr","*.js","*.vbs","*.vbe","*.ps1") - by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name - Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` - | fields _time dest file_create_time file_name file_path process_name process_path - process process_guid] | dedup file_create_time | table dest, process_name, process, - file_create_time, file_name, file_path, process_guid | `office_application_drop_executable_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used. +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_office_products` by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.process_guid | `drop_dm_object_name(Processes)` | join process_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*.dll", "*.exe", "*.js", "*.pif", "*.ps1", "*.scr", "*.vbe", "*.vbs") by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields _time dest file_create_time file_name file_path process_name process_path process process_guid] | dedup file_create_time | table dest, process_name, process, file_create_time, file_name, file_path, process_guid | `windows_office_product_dropped_uncommon_file_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used. known_false_positives: office macro for automation may do this behavior references: - https://www.mandiant.com/resources/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation @@ -59,9 +39,9 @@ tags: - AgentTesla - PlugX asset_type: Endpoint - confidence: 80 - impact: 80 - message: process $process_name$ drops a file $file_name$ in host $dest$ + confidence: 60 + impact: 60 + message: An instance of $process_name$ was identified on $dest$ writing the file $file_name$. This is uncommon behavior and require further investigation. mitre_attack_id: - T1566 - T1566.001 @@ -85,7 +65,7 @@ tags: - process_guid - dest - user_id - risk_score: 64 + risk_score: 36 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/mshtml_module_load_in_office_product.yml b/detections/endpoint/windows_office_product_loaded_mshtml_module.yml similarity index 80% rename from detections/endpoint/mshtml_module_load_in_office_product.yml rename to detections/endpoint/windows_office_product_loaded_mshtml_module.yml index adaaba6fd6..6b17ff86fd 100644 --- a/detections/endpoint/mshtml_module_load_in_office_product.yml +++ b/detections/endpoint/windows_office_product_loaded_mshtml_module.yml @@ -1,14 +1,14 @@ -name: MSHTML Module Load in Office Product +name: Windows Office Product Loaded MSHTML Module id: 5f1c168e-118b-11ec-84ff-acde48001122 -version: 5 -date: '2024-09-30' +version: 6 +date: '2025-01-20' author: Michael Haag, Mauricio Velazco, Splunk status: production -type: TTP +type: Anomaly description: The following analytic detects the loading of the mshtml.dll module into an Office product, which is indicative of CVE-2021-40444 exploitation. It leverages Sysmon EventID 7 to monitor image loads by specific Office processes. This activity is significant because it can indicate an attempt to exploit a vulnerability in the MSHTML component via a malicious document. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further network penetration. data_source: - Sysmon EventID 7 -search: '`sysmon` EventID=7 process_name IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","wordpad.exe","wordview.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe", "msaccess.exe","Graph.exe","winproj.exe") loaded_file_path IN ("*\\mshtml.dll", "*\\Microsoft.mshtml.dll","*\\IE.Interop.MSHTML.dll","*\\MshtmlDac.dll","*\\MshtmlDed.dll","*\\MshtmlDer.dll") | stats count min(_time) as firstTime max(_time) as lastTime by user_id, dest, process_name, loaded_file, loaded_file_path, original_file_name, process_guid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `mshtml_module_load_in_office_product_filter`' +search: '`sysmon` EventID=7 process_name IN ("EQNEDT32.exe", "excel.exe", "Graph.exe", "msaccess.exe", "mspub.exe", "onenote.exe", "onenoteim.exe", "onenotem.exe", "outlook.exe", "powerpnt.exe", "visio.exe", "winproj.exe", "winword.exe", "wordpad.exe", "wordview.exe") loaded_file_path IN ("*\\mshtml.dll", "*\\Microsoft.mshtml.dll","*\\IE.Interop.MSHTML.dll","*\\MshtmlDac.dll","*\\MshtmlDed.dll","*\\MshtmlDer.dll") | stats count min(_time) as firstTime max(_time) as lastTime by user_id, dest, process_name, loaded_file, loaded_file_path, original_file_name, process_guid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_office_product_loaded_mshtml_module_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process names and image loads from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. known_false_positives: Limited false positives will be present, however, tune as necessary. Some applications may legitimately load mshtml.dll. references: diff --git a/detections/endpoint/office_document_creating_schedule_task.yml b/detections/endpoint/windows_office_product_loading_taskschd_dll.yml similarity index 78% rename from detections/endpoint/office_document_creating_schedule_task.yml rename to detections/endpoint/windows_office_product_loading_taskschd_dll.yml index 9c3c447078..242d4caaea 100644 --- a/detections/endpoint/office_document_creating_schedule_task.yml +++ b/detections/endpoint/windows_office_product_loading_taskschd_dll.yml @@ -1,14 +1,14 @@ -name: Office Document Creating Schedule Task +name: Windows Office Product Loading Taskschd DLL id: cc8b7b74-9d0f-11eb-8342-acde48001122 -version: 8 -date: '2024-09-30' +version: 9 +date: '2025-01-20' author: Teoderick Contreras, Splunk status: production -type: TTP +type: Anomaly description: The following analytic detects an Office document creating a scheduled task, either through a macro VBA API or by loading `taskschd.dll`. This detection leverages Sysmon EventCode 7 to identify when Office applications load the `taskschd.dll` file. This activity is significant as it is a common technique used by malicious macro malware to establish persistence or initiate beaconing. If confirmed malicious, this could allow an attacker to maintain persistence, execute arbitrary commands, or schedule future malicious activities, posing a significant threat to the environment. data_source: - Sysmon EventID 7 -search: '`sysmon` EventCode=7 process_name IN ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe", "msaccess.exe") loaded_file_path = "*\\taskschd.dll" | stats min(_time) as firstTime max(_time) as lastTime count by user_id, dest, process_name,loaded_file, loaded_file_path, original_file_name, process_guid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `office_document_creating_schedule_task_filter`' +search: '`sysmon` EventCode=7 process_name IN ("EQNEDT32.exe", "excel.exe", "Graph.exe", "msaccess.exe", "mspub.exe", "onenote.exe", "onenoteim.exe", "onenotem.exe", "outlook.exe", "powerpnt.exe", "visio.exe", "winproj.exe", "winword.exe") loaded_file_path = "*\\taskschd.dll" | stats min(_time) as firstTime max(_time) as lastTime count by user_id, dest, process_name,loaded_file, loaded_file_path, original_file_name, process_guid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_office_product_loading_taskschd_dll_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and ImageLoaded (Like sysmon EventCode 7) from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Also be sure to include those monitored dll to your own sysmon config. known_false_positives: False positives may occur if legitimate office documents are creating scheduled tasks. Ensure to investigate the scheduled task and the command to be executed. If the task is benign, add the task name to the exclusion list. Some applications may legitimately load taskschd.dll. references: @@ -28,9 +28,9 @@ tags: analytic_story: - Spearphishing Attachments asset_type: Endpoint - confidence: 70 - impact: 70 - message: An Office document was identified creating a scheduled task on $dest$. Investigate further. + confidence: 50 + impact: 50 + message: $process_name$ was identified loading the taskschd.dll on $dest$. This could indicate a potential malicious macro being executed. Further analysis is required. mitre_attack_id: - T1566 - T1566.001 @@ -53,7 +53,7 @@ tags: - ProcessId - ProcessGuid - _time - risk_score: 49 + risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/office_document_executing_macro_code.yml b/detections/endpoint/windows_office_product_loading_vbe7_dll.yml similarity index 80% rename from detections/endpoint/office_document_executing_macro_code.yml rename to detections/endpoint/windows_office_product_loading_vbe7_dll.yml index 7cbe39d7e0..7486928eaa 100644 --- a/detections/endpoint/office_document_executing_macro_code.yml +++ b/detections/endpoint/windows_office_product_loading_vbe7_dll.yml @@ -1,14 +1,14 @@ -name: Office Document Executing Macro Code +name: Windows Office Product Loading VBE7 DLL id: b12c89bc-9d06-11eb-a592-acde48001122 -version: 7 -date: '2024-09-30' +version: 8 +date: '2025-01-20' author: Teoderick Contreras, Splunk status: production -type: TTP +type: Anomaly description: The following analytic identifies office documents executing macro code. It leverages Sysmon EventCode 7 to detect when processes like WINWORD.EXE or EXCEL.EXE load specific DLLs associated with macros (e.g., VBE7.DLL). This activity is significant because macros are a common attack vector for delivering malicious payloads, such as malware. If confirmed malicious, this could lead to unauthorized code execution, data exfiltration, or further compromise of the system. Disabling macros by default is recommended to mitigate this risk. data_source: - Sysmon EventID 7 -search: '`sysmon` EventCode=7 process_name IN ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe","msaccess.exe") loaded_file_path IN ("*\\VBE7INTL.DLL","*\\VBE7.DLL", "*\\VBEUI.DLL") | stats min(_time) as firstTime max(_time) as lastTime values(loaded_file) as loaded_file count by dest EventCode process_name process_guid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `office_document_executing_macro_code_filter`' +search: '`sysmon` EventCode=7 process_name IN ("EQNEDT32.exe", "excel.exe", "Graph.exe", "msaccess.exe", "mspub.exe", "onenote.exe", "onenoteim.exe", "onenotem.exe", "outlook.exe", "powerpnt.exe", "visio.exe", "winproj.exe", "winword.exe") loaded_file_path IN ("*\\VBE7INTL.DLL", "*\\VBE7.DLL", "*\\VBEUI.DLL") | stats min(_time) as firstTime max(_time) as lastTime values(loaded_file) as loaded_file count by dest EventCode process_name process_guid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_office_product_loading_vbe7_dll_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and ImageLoaded (Like sysmon EventCode 7) from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Also be sure to include those monitored dll to your own sysmon config. known_false_positives: False positives may occur if legitimate office documents are executing macro code. Ensure to investigate the macro code and the command to be executed. If the macro code is benign, add the document name to the exclusion list. Some applications may legitimately load VBE7INTL.DLL, VBE7.DLL, or VBEUI.DLL. references: @@ -41,8 +41,8 @@ tags: - NjRAT asset_type: Endpoint confidence: 50 - impact: 70 - message: Office document executing a macro on $dest$ + impact: 50 + message: $process_name$ was identified loading $loaded_file_path$ on $dest$. This could indicate a potential malicious macro being executed. Further analysis is required. mitre_attack_id: - T1566 - T1566.001 @@ -65,7 +65,7 @@ tags: - ProcessId - ProcessGuid - _time - risk_score: 35 + risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_office_product_spawned_child_process_for_download.yml b/detections/endpoint/windows_office_product_spawned_child_process_for_download.yml index 05cd8c0c25..1736227ef8 100644 --- a/detections/endpoint/windows_office_product_spawned_child_process_for_download.yml +++ b/detections/endpoint/windows_office_product_spawned_child_process_for_download.yml @@ -10,7 +10,7 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_office_products_parent` Processes.process IN ("*http:*","*https:*") NOT (Processes.original_file_name IN("firefox.exe", "chrome.exe","iexplore.exe","msedge.exe")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_office_product_spawned_child_process_for_download_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_office_products_parent` Processes.process IN ("*http:*","*https:*") NOT (Processes.original_file_name IN ("firefox.exe", "chrome.exe","iexplore.exe","msedge.exe")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_office_product_spawned_child_process_for_download_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: Default browser not in the filter list. references: diff --git a/macros/process_office_products.yml b/macros/process_office_products.yml index d161fca52c..1f3155d735 100644 --- a/macros/process_office_products.yml +++ b/macros/process_office_products.yml @@ -1,3 +1,3 @@ -definition: (Processes.process_name IN ("EQNEDT32.exe", "excel.exe", "Graph.exe", "msaccess.exe", "mspub.exe", "onenote.exe", "onenoteim.exe", "onenotem.exe", "outlook.exe", "powerpnt.exe", "visio.exe", "winproj.exe", "winword.exe") OR Processes.original_file_name IN ("EQNEDT32.EXE", "Excel.exe", "Graph.exe", "MSACCESS.EXE", "MSPUB.EXE", "OneNote.exe", "OneNoteIm.exe", "OneNoteM.exe", "OUTLOOK.EXE", "POWERPNT.EXE", "VISIO.EXE", "WinProj.exe", "WinWord.exe")) +definition: (Processes.process_name IN ("EQNEDT32.exe", "excel.exe", "Graph.exe", "msaccess.exe", "mspub.exe", "onenote.exe", "onenoteim.exe", "onenotem.exe", "outlook.exe", "powerpnt.exe", "visio.exe", "winproj.exe", "winword.exe", "wordpad.exe", "wordview.exe") OR Processes.original_file_name IN ("EQNEDT32.EXE", "Excel.exe", "Graph.exe", "MSACCESS.EXE", "MSPUB.EXE", "OneNote.exe", "OneNoteIm.exe", "OneNoteM.exe", "OUTLOOK.EXE", "POWERPNT.EXE", "VISIO.EXE", "WinProj.exe", "WinWord.exe")) description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/ name: process_office_products \ No newline at end of file From 473b732972d6adfa34dca2e0b7d20fd1039464c2 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Mon, 20 Jan 2025 18:30:36 +0100 Subject: [PATCH 23/37] Update office_product_spawning_wmic.yml --- detections/deprecated/office_product_spawning_wmic.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/deprecated/office_product_spawning_wmic.yml b/detections/deprecated/office_product_spawning_wmic.yml index 6f4941e74a..477df1d5cc 100644 --- a/detections/deprecated/office_product_spawning_wmic.yml +++ b/detections/deprecated/office_product_spawning_wmic.yml @@ -3,7 +3,7 @@ id: ffc236d6-a6c9-11eb-95f1-acde48001122 version: 10 date: '2025-01-13' author: Michael Haag, Splunk -status: production +status: deprecated type: TTP description: The following analytic has been deprecated in favour of a more generic approach in "Windows Office Product Spawned Uncommon Process". The following analytic detects any Windows Office Product spawning `wmic.exe`, From 65cea954435bb07a3fdc426bb08f8a56cdb745d4 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Mon, 20 Jan 2025 18:33:03 +0100 Subject: [PATCH 24/37] Update windows_sensitive_registry_hive_dump_via_commandline.yml --- .../windows_sensitive_registry_hive_dump_via_commandline.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/detections/endpoint/windows_sensitive_registry_hive_dump_via_commandline.yml b/detections/endpoint/windows_sensitive_registry_hive_dump_via_commandline.yml index 97db28270b..c24d7977a0 100644 --- a/detections/endpoint/windows_sensitive_registry_hive_dump_via_commandline.yml +++ b/detections/endpoint/windows_sensitive_registry_hive_dump_via_commandline.yml @@ -77,12 +77,12 @@ tags: risk_score: 56 security_domain: endpoint tests: -- name: True Positive Test +- name: True Positive Test - Sysmon attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog -- name: True Positive Test +- name: True Positive Test - CrowdStrike attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/atomic_red_team/crowdstrike_falcon.log source: crowdstrike From 9b97d31129e51113bf995b7fc3ddb09706c27182 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Mon, 20 Jan 2025 19:19:41 +0100 Subject: [PATCH 25/37] bug fix --- .../endpoint/windows_office_product_dropped_cab_or_inf_file.yml | 2 +- .../windows_sensitive_registry_hive_dump_via_commandline.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/detections/endpoint/windows_office_product_dropped_cab_or_inf_file.yml b/detections/endpoint/windows_office_product_dropped_cab_or_inf_file.yml index 8610e49fab..00b394fcb1 100644 --- a/detections/endpoint/windows_office_product_dropped_cab_or_inf_file.yml +++ b/detections/endpoint/windows_office_product_dropped_cab_or_inf_file.yml @@ -10,7 +10,7 @@ data_source: - Sysmon EventID 1 AND Sysmon EventID 11 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name IN `process_office_products` by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.process_guid | `drop_dm_object_name(Processes)` |rename process_guid as proc_guid | join proc_guid, _time [ | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*.cab", "*.inf") by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)` |rename process_guid as proc_guid | fields _time dest file_create_time file_name file_path process_name process_path process proc_guid] | dedup file_create_time | table dest, process_name, process, file_create_time, file_name, file_path, proc_guid | `windows_office_product_dropped_cab_or_inf_file_filter`' +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_office_products` by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.process_guid | `drop_dm_object_name(Processes)` |rename process_guid as proc_guid | join proc_guid, _time [ | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*.cab", "*.inf") by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid | `drop_dm_object_name(Filesystem)` |rename process_guid as proc_guid | fields _time dest file_create_time file_name file_path process_name process_path process proc_guid] | dedup file_create_time | table dest, process_name, process, file_create_time, file_name, file_path, proc_guid | `windows_office_product_dropped_cab_or_inf_file_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node. known_false_positives: The query is structured in a way that `action` (read, create) is not defined. Review the results of this query, filter, and tune as necessary. diff --git a/detections/endpoint/windows_sensitive_registry_hive_dump_via_commandline.yml b/detections/endpoint/windows_sensitive_registry_hive_dump_via_commandline.yml index c24d7977a0..486b60664a 100644 --- a/detections/endpoint/windows_sensitive_registry_hive_dump_via_commandline.yml +++ b/detections/endpoint/windows_sensitive_registry_hive_dump_via_commandline.yml @@ -10,7 +10,7 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where ((`process_reg` Processes.process IN ("*save*", "*export*")) OR (`process_regedit` Processes.process IN ("*/E *", "*-E *"))) AND Processes.process IN ("*HKEY_LOCAL_MACHINE*", "*HKLM*") AND Processes.process IN ("*\sam*", "*\system*", "*\security*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_sensitive_registry_hive_dump_via_commandline_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where ((`process_reg` Processes.process IN ("*save*", "*export*")) OR (`process_regedit` Processes.process IN ("*/E *", "*-E *"))) AND Processes.process IN ("*HKEY_LOCAL_MACHINE*", "*HKLM*") AND Processes.process IN ("*SAM*", "*System*", "*Security*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_sensitive_registry_hive_dump_via_commandline_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: It is possible some agent based products will generate false positives. Filter as needed. references: From 480e29b27b4f8192423c44d7e110bfec678b4516 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Wed, 22 Jan 2025 12:12:08 +0100 Subject: [PATCH 26/37] remove fields --- .../excel_spawning_windows_script_host.yml | 30 ----------- .../linux_auditd_add_user_account.yml | 12 ----- .../linux_auditd_add_user_account_type.yml | 17 ------- .../linux_auditd_at_application_execution.yml | 17 ------- .../linux_auditd_auditd_service_stop.yml | 16 ------ .../linux_auditd_base64_decode_files.yml | 13 ----- ...linux_auditd_change_file_owner_to_root.yml | 12 ----- .../linux_auditd_clipboard_data_copy.yml | 13 ----- .../linux_auditd_data_destruction_command.yml | 13 ----- ...td_data_transfer_size_limits_via_split.yml | 13 ----- ...transfer_size_limits_via_split_syscall.yml | 17 ------- ..._database_file_and_directory_discovery.yml | 13 ----- .../linux_auditd_dd_file_overwrite.yml | 12 ----- ...ditd_disable_or_modify_system_firewall.yml | 16 ------ .../linux_auditd_doas_conf_file_creation.yml | 14 ------ .../linux_auditd_doas_tool_execution.yml | 17 ------- ...linux_auditd_edit_cron_table_parameter.yml | 17 ------- ...ux_auditd_file_and_directory_discovery.yml | 9 ---- ...le_permissions_modification_via_chattr.yml | 13 ----- ...ind_credentials_from_password_managers.yml | 13 ----- ..._find_credentials_from_password_stores.yml | 13 ----- .../linux_auditd_find_ssh_private_keys.yml | 13 ----- ...linux_auditd_hardware_addition_swapoff.yml | 13 ----- ..._hidden_files_and_directories_creation.yml | 13 ----- ...l_kernel_module_using_modprobe_utility.yml | 17 ------- ...ditd_kernel_module_using_rmmod_utility.yml | 17 ------- ..._auditd_nopasswd_entry_in_sudoers_file.yml | 12 ----- .../linux_auditd_osquery_service_stop.yml | 16 ------ ...ss_or_modification_of_sshd_config_file.yml | 14 ------ ...td_possible_access_to_credential_files.yml | 12 ----- ...auditd_possible_access_to_sudoers_file.yml | 14 ------ ...cronjob_entry_on_existing_cronjob_file.yml | 15 ------ ...ux_auditd_preload_hijack_library_calls.yml | 13 ----- ...auditd_preload_hijack_via_preload_file.yml | 14 ------ ...ivate_keys_and_certificate_enumeration.yml | 13 ----- .../linux_auditd_service_restarted.yml | 12 ----- .../endpoint/linux_auditd_service_started.yml | 12 ----- ...inux_auditd_setuid_using_chmod_utility.yml | 12 ----- ...nux_auditd_setuid_using_setcap_utility.yml | 13 ----- .../linux_auditd_shred_overwrite_command.yml | 12 ----- .../endpoint/linux_auditd_stop_services.yml | 16 ------ .../linux_auditd_sudo_or_su_execution.yml | 12 ----- .../linux_auditd_sysmon_service_stop.yml | 16 ------ ...system_network_configuration_discovery.yml | 17 ------- ..._unix_shell_configuration_modification.yml | 14 ------ ...inux_auditd_unload_module_via_modprobe.yml | 13 ----- ...tual_disk_file_and_directory_discovery.yml | 13 ----- .../linux_auditd_whoami_user_discovery.yml | 17 ------- ...hell_process___execution_policy_bypass.yml | 22 -------- .../microsoft_defender_atp_alerts.yml | 50 ------------------- .../microsoft_defender_incident_alerts.yml | 50 ------------------- ...twork_configuration_discovery_activity.yml | 34 ------------- ...ding_dotnet_into_memory_via_reflection.yml | 20 -------- ...print_spooler_failed_to_load_a_plug_in.yml | 15 ------ ...nstallation_with_suspicious_parameters.yml | 20 -------- ...ndows_attempt_to_stop_security_service.yml | 34 ------------- ...indows_bitlockertogo_process_execution.yml | 9 ---- ...ws_bitlockertogo_with_network_activity.yml | 5 -- ..._tool_execution_from_non_shell_process.yml | 34 ------------- ..._common_abused_cmd_shell_risk_behavior.yml | 16 ------ ...te_local_administrator_account_via_net.yml | 34 ------------- ...s_domain_admin_impersonation_indicator.yml | 16 ------ ...dows_esx_admins_group_creation_via_net.yml | 22 -------- ...windows_excessive_service_stop_attempt.yml | 26 ---------- .../windows_excessive_usage_of_net_app.yml | 30 ----------- .../windows_group_discovery_via_net.yml | 21 -------- ...ttp_network_communication_from_msiexec.yml | 33 ------------ ...s_via_set_command_from_uncommon_parent.yml | 22 -------- ...s_network_connection_discovery_via_net.yml | 21 -------- ...dows_network_share_interaction_via_net.yml | 21 -------- ...new_default_file_association_value_set.yml | 20 -------- ...office_product_dropped_cab_or_inf_file.yml | 21 -------- ...s_office_product_dropped_uncommon_file.yml | 20 -------- ...ws_office_product_loaded_mshtml_module.yml | 20 -------- ...ws_office_product_loading_taskschd_dll.yml | 19 ------- ...indows_office_product_loading_vbe7_dll.yml | 19 ------- ...uct_spawned_child_process_for_download.yml | 22 -------- ...windows_office_product_spawned_control.yml | 30 ----------- .../windows_office_product_spawned_msdt.yml | 22 -------- ...e_product_spawned_rundll32_with_no_dll.yml | 28 ----------- ...ffice_product_spawned_uncommon_process.yml | 35 ------------- ...ows_password_policy_discovery_with_net.yml | 27 ---------- ...dows_registry_entries_exported_via_reg.yml | 28 ----------- ...dows_registry_entries_restored_via_reg.yml | 28 ----------- ...ows_sensitive_group_discovery_with_net.yml | 21 -------- ...ive_registry_hive_dump_via_commandline.yml | 30 ----------- .../endpoint/windows_service_creation.yml | 17 ------- 87 files changed, 1647 deletions(-) diff --git a/detections/endpoint/excel_spawning_windows_script_host.yml b/detections/endpoint/excel_spawning_windows_script_host.yml index 50d7f1336b..25eb6d0890 100644 --- a/detections/endpoint/excel_spawning_windows_script_host.yml +++ b/detections/endpoint/excel_spawning_windows_script_host.yml @@ -58,43 +58,13 @@ tags: - Spearphishing Attachments - Compromised Windows Host asset_type: Endpoint - confidence: 100 - impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ by user $user$, indicating potential suspicious macro execution. mitre_attack_id: - T1003.002 - T1003 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - process_name - - process_id - - parent_process_name - - dest - - user - - parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_add_user_account.yml b/detections/endpoint/linux_auditd_add_user_account.yml index 5a3a149d50..6c10c6f275 100644 --- a/detections/endpoint/linux_auditd_add_user_account.yml +++ b/detections/endpoint/linux_auditd_add_user_account.yml @@ -28,25 +28,13 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 50 - impact: 50 - message: A [$process_exec$] event occurred on host - [$dest$] to add a user account. mitre_attack_id: - T1136.001 - T1136 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - proctitle - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_add_user_account_type.yml b/detections/endpoint/linux_auditd_add_user_account_type.yml index ae806eb40b..b058a0c9f4 100644 --- a/detections/endpoint/linux_auditd_add_user_account_type.yml +++ b/detections/endpoint/linux_auditd_add_user_account_type.yml @@ -29,30 +29,13 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 50 - impact: 50 - message: New [$type$] event on host - [$dest$] to add a user account type. mitre_attack_id: - T1136 - T1136.001 - observable: - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - exe - - pid - - hostname - - res - - UID - - type - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_at_application_execution.yml b/detections/endpoint/linux_auditd_at_application_execution.yml index aebd078139..0084dbce6d 100644 --- a/detections/endpoint/linux_auditd_at_application_execution.yml +++ b/detections/endpoint/linux_auditd_at_application_execution.yml @@ -31,30 +31,13 @@ tags: - Linux Living Off The Land - Compromised Linux Host asset_type: Endpoint - confidence: 30 - impact: 30 - message: A SYSCALL - [$comm$] event was executed on host - [$dest$] to execute the "at" application. mitre_attack_id: - T1053.002 - T1053 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - comm - - exe - - SYSCALL - - UID - - ppid - - pid - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_auditd_service_stop.yml b/detections/endpoint/linux_auditd_auditd_service_stop.yml index 515e0c4417..b3f8512259 100644 --- a/detections/endpoint/linux_auditd_auditd_service_stop.yml +++ b/detections/endpoint/linux_auditd_auditd_service_stop.yml @@ -29,28 +29,12 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 50 - impact: 50 - message: A service event - [$type$] event occurred on host - [$dest$]. mitre_attack_id: - T1489 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - type - - pid - - UID - - comm - - exe - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_base64_decode_files.yml b/detections/endpoint/linux_auditd_base64_decode_files.yml index bdb33137ab..38f0533d96 100644 --- a/detections/endpoint/linux_auditd_base64_decode_files.yml +++ b/detections/endpoint/linux_auditd_base64_decode_files.yml @@ -30,25 +30,12 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 50 - impact: 50 - message: A [$process_exec$] event occurred on host - [$dest$] to decode a file using base64. mitre_attack_id: - T1140 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - argc - - process_exec - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_change_file_owner_to_root.yml b/detections/endpoint/linux_auditd_change_file_owner_to_root.yml index 89247b3e0a..13784c73f7 100644 --- a/detections/endpoint/linux_auditd_change_file_owner_to_root.yml +++ b/detections/endpoint/linux_auditd_change_file_owner_to_root.yml @@ -30,25 +30,13 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 80 - impact: 80 - message: A [$process_exec$] event occurred on host - [$dest$] to change a file owner to root. mitre_attack_id: - T1222.002 - T1222 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - proctitle - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_clipboard_data_copy.yml b/detections/endpoint/linux_auditd_clipboard_data_copy.yml index e844e3cc50..4b3ad20b66 100644 --- a/detections/endpoint/linux_auditd_clipboard_data_copy.yml +++ b/detections/endpoint/linux_auditd_clipboard_data_copy.yml @@ -28,25 +28,12 @@ tags: - Linux Living Off The Land - Compromised Linux Host asset_type: Endpoint - confidence: 40 - impact: 40 - message: A [$process_exec$] event occurred on host - [$dest$] to copy data from the clipboard. mitre_attack_id: - T1115 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - argc - - process_exec - risk_score: 16 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_data_destruction_command.yml b/detections/endpoint/linux_auditd_data_destruction_command.yml index 3201e7e0e0..e69160ec5f 100644 --- a/detections/endpoint/linux_auditd_data_destruction_command.yml +++ b/detections/endpoint/linux_auditd_data_destruction_command.yml @@ -29,25 +29,12 @@ tags: - AwfulShred - Compromised Linux Host asset_type: Endpoint - confidence: 90 - impact: 100 - message: A [$process_exec$] event occurred on host - [$dest$] to destroy data. mitre_attack_id: - T1485 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - argc - - process_exec - risk_score: 90 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml index de934eb8a4..2e2c6a3e6e 100644 --- a/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml +++ b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml @@ -29,25 +29,12 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 70 - impact: 70 - message: A [$process_exec$] event occurred on host - [$dest$] to split a file. mitre_attack_id: - T1030 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - argc - - process_exec - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml index 58925c0293..9c30d10fae 100644 --- a/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml +++ b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml @@ -29,29 +29,12 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 50 - impact: 50 - message: A SYSCALL - [$comm$] event was executed on host - [$dest$] that limits the size of data transfer. mitre_attack_id: - T1030 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - comm - - exe - - SYSCALL - - UID - - ppid - - pid - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_database_file_and_directory_discovery.yml b/detections/endpoint/linux_auditd_database_file_and_directory_discovery.yml index 60d8cb7835..ade8e0963c 100644 --- a/detections/endpoint/linux_auditd_database_file_and_directory_discovery.yml +++ b/detections/endpoint/linux_auditd_database_file_and_directory_discovery.yml @@ -30,25 +30,12 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 50 - impact: 50 - message: A [$process_exec$] event occurred on host - [$dest$] to discover database files and directories. mitre_attack_id: - T1083 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - argc - - process_exec - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_dd_file_overwrite.yml b/detections/endpoint/linux_auditd_dd_file_overwrite.yml index 2c3e57ad31..7582f3f830 100644 --- a/detections/endpoint/linux_auditd_dd_file_overwrite.yml +++ b/detections/endpoint/linux_auditd_dd_file_overwrite.yml @@ -29,24 +29,12 @@ tags: - Data Destruction - Compromised Linux Host asset_type: Endpoint - confidence: 90 - impact: 90 - message: A [$process_exec$] event occurred on host - [$dest$]. mitre_attack_id: - T1485 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - proctitle - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml b/detections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml index 9397655d75..e9ebbd65c8 100644 --- a/detections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml +++ b/detections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml @@ -29,29 +29,13 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 80 - impact: 80 - message: A service event - [$type$] to disable or modify system firewall occurred on host - [$dest$] . mitre_attack_id: - T1562.004 - T1562 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - type - - pid - - UID - - comm - - exe - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_doas_conf_file_creation.yml b/detections/endpoint/linux_auditd_doas_conf_file_creation.yml index 0e3c174dfc..06ac060b5a 100644 --- a/detections/endpoint/linux_auditd_doas_conf_file_creation.yml +++ b/detections/endpoint/linux_auditd_doas_conf_file_creation.yml @@ -29,27 +29,13 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 80 - impact: 80 - message: A [$type$] event occurred on host - [$dest$] to create a doas.conf file. mitre_attack_id: - T1548.003 - T1548 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - name - - nametype - - OGID - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_doas_tool_execution.yml b/detections/endpoint/linux_auditd_doas_tool_execution.yml index 54af2e3220..3e9f267e64 100644 --- a/detections/endpoint/linux_auditd_doas_tool_execution.yml +++ b/detections/endpoint/linux_auditd_doas_tool_execution.yml @@ -29,30 +29,13 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 70 - impact: 70 - message: A SYSCALL - [$comm$] event was executed on host - [$dest$] to execute the "doas" tool. mitre_attack_id: - T1548.003 - T1548 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - comm - - exe - - SYSCALL - - UID - - ppid - - pid - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml b/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml index d97f39e47d..336e5f94d9 100644 --- a/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml +++ b/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml @@ -30,30 +30,13 @@ tags: - Linux Living Off The Land - Compromised Linux Host asset_type: Endpoint - confidence: 80 - impact: 80 - message: A SYSCALL - [$comm$] event was executed on host - [$dest$] to edit the cron table. mitre_attack_id: - T1053.003 - T1053 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - comm - - exe - - SYSCALL - - UID - - ppid - - pid - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_file_and_directory_discovery.yml b/detections/endpoint/linux_auditd_file_and_directory_discovery.yml index 4aed31144d..e41ce58104 100644 --- a/detections/endpoint/linux_auditd_file_and_directory_discovery.yml +++ b/detections/endpoint/linux_auditd_file_and_directory_discovery.yml @@ -30,16 +30,8 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 50 - impact: 50 - message: A [$process_exec$] event occurred on host - [$dest$] to discover files and directories. mitre_attack_id: - T1083 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security @@ -48,7 +40,6 @@ tags: - _time - argc - process_exec - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_file_permissions_modification_via_chattr.yml b/detections/endpoint/linux_auditd_file_permissions_modification_via_chattr.yml index a9bc8b21af..ef108ec994 100644 --- a/detections/endpoint/linux_auditd_file_permissions_modification_via_chattr.yml +++ b/detections/endpoint/linux_auditd_file_permissions_modification_via_chattr.yml @@ -29,26 +29,13 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 70 - impact: 70 - message: A [$process_exec$] event occurred on host - [$dest$] to modify file permissions using the "chattr" command. mitre_attack_id: - T1222.002 - T1222 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - argc - - process_exec - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_find_credentials_from_password_managers.yml b/detections/endpoint/linux_auditd_find_credentials_from_password_managers.yml index 81daf23272..7c3d0d5f96 100644 --- a/detections/endpoint/linux_auditd_find_credentials_from_password_managers.yml +++ b/detections/endpoint/linux_auditd_find_credentials_from_password_managers.yml @@ -30,26 +30,13 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 80 - impact: 80 - message: A [$process_exec$] event occurred on host - [$dest$] to find credentials stored in password managers. mitre_attack_id: - T1555.005 - T1555 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - argc - - process_exec - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_find_credentials_from_password_stores.yml b/detections/endpoint/linux_auditd_find_credentials_from_password_stores.yml index 6dfab9fc46..52eaee55b9 100644 --- a/detections/endpoint/linux_auditd_find_credentials_from_password_stores.yml +++ b/detections/endpoint/linux_auditd_find_credentials_from_password_stores.yml @@ -30,26 +30,13 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 80 - impact: 80 - message: A [$process_exec$] event occurred on host - [$dest$] to find credentials stored in password managers. mitre_attack_id: - T1555.005 - T1555 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - argc - - process_exec - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_find_ssh_private_keys.yml b/detections/endpoint/linux_auditd_find_ssh_private_keys.yml index 23f64f41be..02d503e9d5 100644 --- a/detections/endpoint/linux_auditd_find_ssh_private_keys.yml +++ b/detections/endpoint/linux_auditd_find_ssh_private_keys.yml @@ -30,26 +30,13 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 70 - impact: 70 - message: A [$process_exec$] event occurred on host - [$dest$] to find SSH private keys. mitre_attack_id: - T1552.004 - T1552 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - argc - - process_exec - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_hardware_addition_swapoff.yml b/detections/endpoint/linux_auditd_hardware_addition_swapoff.yml index 3c8f5b1bba..9753bdfd30 100644 --- a/detections/endpoint/linux_auditd_hardware_addition_swapoff.yml +++ b/detections/endpoint/linux_auditd_hardware_addition_swapoff.yml @@ -28,25 +28,12 @@ tags: - AwfulShred - Compromised Linux Host asset_type: Endpoint - confidence: 60 - impact: 60 - message: A [$process_exec$] event occurred on host - [$dest$] to disable the swapping of paging devices on a Linux system. mitre_attack_id: - T1200 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - argc - - process_exec - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml b/detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml index 4a11ae5b48..b5db900508 100644 --- a/detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml +++ b/detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml @@ -30,25 +30,12 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 80 - impact: 80 - message: A [$process_exec$] event occurred on host - [$dest$]. mitre_attack_id: - T1083 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - argc - - process_exec - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_install_kernel_module_using_modprobe_utility.yml b/detections/endpoint/linux_auditd_install_kernel_module_using_modprobe_utility.yml index 0fc792ad0f..7be24b3b66 100644 --- a/detections/endpoint/linux_auditd_install_kernel_module_using_modprobe_utility.yml +++ b/detections/endpoint/linux_auditd_install_kernel_module_using_modprobe_utility.yml @@ -31,30 +31,13 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 80 - impact: 80 - message: A SYSCALL - [$comm$] event was executed on host - [$dest$] to install a Linux kernel module using the modprobe utility. mitre_attack_id: - T1547.006 - T1547 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - comm - - exe - - SYSCALL - - UID - - ppid - - pid - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml b/detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml index 387d6a2b66..390e98bc6a 100644 --- a/detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml +++ b/detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml @@ -29,30 +29,13 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 80 - impact: 90 - message: A SYSCALL - [$comm$] event was executed on host - [$dest$] to remove a Linux kernel module using the rmmod utility. mitre_attack_id: - T1547.006 - T1547 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - comm - - exe - - SYSCALL - - UID - - ppid - - pid - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml b/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml index e8b98b6ce7..a07f3a6dd9 100644 --- a/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml +++ b/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml @@ -29,25 +29,13 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 80 - impact: 80 - message: A [$process_exec$] event occurred on host - [$dest$] to add NOPASSWD entry in sudoers file. mitre_attack_id: - T1548.003 - T1548 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - proctitle - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_osquery_service_stop.yml b/detections/endpoint/linux_auditd_osquery_service_stop.yml index a71971586d..28ef4f1cb1 100644 --- a/detections/endpoint/linux_auditd_osquery_service_stop.yml +++ b/detections/endpoint/linux_auditd_osquery_service_stop.yml @@ -29,28 +29,12 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 80 - impact: 80 - message: A service event - [$type$] event occurred on host - [$dest$] to stop the osquery service. mitre_attack_id: - T1489 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - type - - pid - - UID - - comm - - exe - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml b/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml index c583a1d8a2..783e1ce760 100644 --- a/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml +++ b/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml @@ -30,27 +30,13 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 50 - impact: 50 - message: A [$type$] has been accessed/modified on host - [$dest$] to modify the sshd_config file. mitre_attack_id: - T1098.004 - T1098 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - name - - nametype - - OGID - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml b/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml index a9a968eb44..404c3c008d 100644 --- a/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml +++ b/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml @@ -29,25 +29,13 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 50 - impact: 50 - message: A [$process_exec$] event occurred on host - [$dest$] to access or dump the contents of /etc/passwd and /etc/shadow files. mitre_attack_id: - T1003.008 - T1003 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - proctitle - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml b/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml index bb328b6fed..4e41d4d034 100644 --- a/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml +++ b/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml @@ -29,27 +29,13 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 50 - impact: 50 - message: A [$type$] has been accessed/modified on host - [$dest$] to access or modify the sudoers file. mitre_attack_id: - T1548.003 - T1548 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - name - - nametype - - OGID - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file.yml b/detections/endpoint/linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file.yml index 82bb125034..9f4c9fb5a8 100644 --- a/detections/endpoint/linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file.yml +++ b/detections/endpoint/linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file.yml @@ -43,28 +43,13 @@ tags: - Scheduled Tasks - Linux Persistence Techniques asset_type: Endpoint - confidence: 70 - impact: 70 - message: A [$type$] event has occurred on host - [$dest$] to append a cronjob entry - on an existing cronjob file. mitre_attack_id: - T1053.003 - T1053 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - name - - nametype - - OGID - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_preload_hijack_library_calls.yml b/detections/endpoint/linux_auditd_preload_hijack_library_calls.yml index f537d137dd..6eef14886f 100644 --- a/detections/endpoint/linux_auditd_preload_hijack_library_calls.yml +++ b/detections/endpoint/linux_auditd_preload_hijack_library_calls.yml @@ -28,26 +28,13 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 90 - impact: 90 - message: A [$process_exec$] event occurred on host - [$dest$] to hijack or hook library functions using the LD_PRELOAD environment variable. mitre_attack_id: - T1574.006 - T1574 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - argc - - process_exec - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml b/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml index 174465cce2..47930b7dbc 100644 --- a/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml +++ b/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml @@ -29,27 +29,13 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 90 - impact: 90 - message: A [$type$] event has occurred on host - [$dest$] to modify the preload file. mitre_attack_id: - T1574.006 - T1574 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - name - - nametype - - OGID - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_private_keys_and_certificate_enumeration.yml b/detections/endpoint/linux_auditd_private_keys_and_certificate_enumeration.yml index b30b4049b2..208899c9ed 100644 --- a/detections/endpoint/linux_auditd_private_keys_and_certificate_enumeration.yml +++ b/detections/endpoint/linux_auditd_private_keys_and_certificate_enumeration.yml @@ -30,26 +30,13 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 80 - impact: 80 - message: A [$process_exec$] event occurred on host - [$dest$] to find private keys. mitre_attack_id: - T1552.004 - T1552 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - argc - - process_exec - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_service_restarted.yml b/detections/endpoint/linux_auditd_service_restarted.yml index 25f7969556..5cf26907bf 100644 --- a/detections/endpoint/linux_auditd_service_restarted.yml +++ b/detections/endpoint/linux_auditd_service_restarted.yml @@ -33,25 +33,13 @@ tags: - Gomir - Compromised Linux Host asset_type: Endpoint - confidence: 50 - impact: 50 - message: A [$process_exec$] event occurred on host - [$dest$] to restart or re-enable a service. mitre_attack_id: - T1053.006 - T1053 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - proctitle - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_service_started.yml b/detections/endpoint/linux_auditd_service_started.yml index 82e6f41015..1eb2f52950 100644 --- a/detections/endpoint/linux_auditd_service_started.yml +++ b/detections/endpoint/linux_auditd_service_started.yml @@ -29,25 +29,13 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 80 - impact: 80 - message: A [$process_exec$] event occurred on host - [$dest$] to start or enable a service. mitre_attack_id: - T1569.002 - T1569 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - proctitle - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_setuid_using_chmod_utility.yml b/detections/endpoint/linux_auditd_setuid_using_chmod_utility.yml index b299839343..0a5901105b 100644 --- a/detections/endpoint/linux_auditd_setuid_using_chmod_utility.yml +++ b/detections/endpoint/linux_auditd_setuid_using_chmod_utility.yml @@ -29,25 +29,13 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 90 - impact: 90 - message: A [$process_exec$] event occurred on host - [$dest$] to set the SUID or SGID bit on files using the chmod utility. mitre_attack_id: - T1548.001 - T1548 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - proctitle - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_setuid_using_setcap_utility.yml b/detections/endpoint/linux_auditd_setuid_using_setcap_utility.yml index 0f231adcdb..9a77024d34 100644 --- a/detections/endpoint/linux_auditd_setuid_using_setcap_utility.yml +++ b/detections/endpoint/linux_auditd_setuid_using_setcap_utility.yml @@ -28,26 +28,13 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 90 - impact: 90 - message: A [$process_exec$] event occurred on host - [$dest$] to set the SUID or SGID bit on files using the setcap utility. mitre_attack_id: - T1548.001 - T1548 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - argc - - process_exec - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_shred_overwrite_command.yml b/detections/endpoint/linux_auditd_shred_overwrite_command.yml index 76ad5761a6..6b4c425301 100644 --- a/detections/endpoint/linux_auditd_shred_overwrite_command.yml +++ b/detections/endpoint/linux_auditd_shred_overwrite_command.yml @@ -32,24 +32,12 @@ tags: - Industroyer2 - Compromised Linux Host asset_type: Endpoint - confidence: 90 - impact: 90 - message: A [$process_exec$] event occurred on host - [$dest$] to overwrite files using the shred utility. mitre_attack_id: - T1485 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - proctitle - risk_score: 81 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_stop_services.yml b/detections/endpoint/linux_auditd_stop_services.yml index 702f5b4a55..23004f47e1 100644 --- a/detections/endpoint/linux_auditd_stop_services.yml +++ b/detections/endpoint/linux_auditd_stop_services.yml @@ -30,28 +30,12 @@ tags: - AwfulShred - Compromised Linux Host asset_type: Endpoint - confidence: 30 - impact: 30 - message: A service event - [$type$] event occurred on host - [$dest$] to stop or disable a service. mitre_attack_id: - T1489 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - type - - pid - - UID - - comm - - exe - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_sudo_or_su_execution.yml b/detections/endpoint/linux_auditd_sudo_or_su_execution.yml index bdde5358db..a334c0aabd 100644 --- a/detections/endpoint/linux_auditd_sudo_or_su_execution.yml +++ b/detections/endpoint/linux_auditd_sudo_or_su_execution.yml @@ -28,25 +28,13 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 50 - impact: 50 - message: A [$process_exec$] event occurred on host - [$dest$] to execute the sudo or su command. mitre_attack_id: - T1548.003 - T1548 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - proctitle - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_sysmon_service_stop.yml b/detections/endpoint/linux_auditd_sysmon_service_stop.yml index ac9a5c1ba7..42823d3bc6 100644 --- a/detections/endpoint/linux_auditd_sysmon_service_stop.yml +++ b/detections/endpoint/linux_auditd_sysmon_service_stop.yml @@ -29,28 +29,12 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 80 - impact: 80 - message: A service event - [$type$] event occurred on host - [$dest$] to stop or disable the sysmon service. mitre_attack_id: - T1489 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - type - - pid - - UID - - comm - - exe - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_system_network_configuration_discovery.yml b/detections/endpoint/linux_auditd_system_network_configuration_discovery.yml index 202acd5902..23ed547ae0 100644 --- a/detections/endpoint/linux_auditd_system_network_configuration_discovery.yml +++ b/detections/endpoint/linux_auditd_system_network_configuration_discovery.yml @@ -29,29 +29,12 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 50 - impact: 50 - message: A SYSCALL - [$comm$] event was executed on host - [$dest$] to discover system network configuration. mitre_attack_id: - T1016 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - comm - - exe - - SYSCALL - - UID - - ppid - - pid - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml b/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml index 0132fb0852..67d17b2f04 100644 --- a/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml +++ b/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml @@ -30,27 +30,13 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 80 - impact: 80 - message: A [$type$] event occurred on host - [$dest$] to modify the unix shell configuration file. mitre_attack_id: - T1546.004 - T1546 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - name - - nametype - - OGID - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_unload_module_via_modprobe.yml b/detections/endpoint/linux_auditd_unload_module_via_modprobe.yml index 352bdc7cf4..e2fea0b311 100644 --- a/detections/endpoint/linux_auditd_unload_module_via_modprobe.yml +++ b/detections/endpoint/linux_auditd_unload_module_via_modprobe.yml @@ -29,26 +29,13 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 70 - impact: 70 - message: A [$process_exec$] event occurred on host - [$dest$] to unload a kernel module via the modprobe command. mitre_attack_id: - T1547.006 - T1547 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - argc - - process_exec - risk_score: 49 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_virtual_disk_file_and_directory_discovery.yml b/detections/endpoint/linux_auditd_virtual_disk_file_and_directory_discovery.yml index 282728f5e7..e3f63c6ec4 100644 --- a/detections/endpoint/linux_auditd_virtual_disk_file_and_directory_discovery.yml +++ b/detections/endpoint/linux_auditd_virtual_disk_file_and_directory_discovery.yml @@ -30,25 +30,12 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 50 - impact: 50 - message: A [$process_exec$] event occurred on host - [$dest$] to discover virtual disk files and directories. mitre_attack_id: - T1083 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - argc - - process_exec - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_whoami_user_discovery.yml b/detections/endpoint/linux_auditd_whoami_user_discovery.yml index f8fa35e89b..a016a2f848 100644 --- a/detections/endpoint/linux_auditd_whoami_user_discovery.yml +++ b/detections/endpoint/linux_auditd_whoami_user_discovery.yml @@ -30,29 +30,12 @@ tags: - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint - confidence: 50 - impact: 50 - message: A SYSCALL - [$comm$] event was executed on host - [$dest$] to discover virtual disk files and directories. mitre_attack_id: - T1033 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - comm - - exe - - SYSCALL - - UID - - ppid - - pid - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml b/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml index b1c621918f..2492906b66 100644 --- a/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml +++ b/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml @@ -32,35 +32,13 @@ tags: - AsyncRAT - Volt Typhoon asset_type: Endpoint - confidence: 60 - impact: 70 - message: PowerShell local execution policy bypass attempt on $dest$ mitre_attack_id: - T1059 - T1059.001 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 42 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/microsoft_defender_atp_alerts.yml b/detections/endpoint/microsoft_defender_atp_alerts.yml index b01e3965c4..ff2bb3142d 100644 --- a/detections/endpoint/microsoft_defender_atp_alerts.yml +++ b/detections/endpoint/microsoft_defender_atp_alerts.yml @@ -36,61 +36,11 @@ tags: - Critical Alerts asset_type: Endpoint atomic_guid: [] - confidence: 90 - impact: 90 - message: $severity$ alert for $src$ - $signature$ mitre_attack_id: [] - observable: - - name: src - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim - - name: file_name - type: File Name - role: - - Attacker - - name: process - type: Process Name - role: - - Attacker - - name: ip_address - type: IP Address - role: - - Attacker - - name: registry_key - type: Registry Key - role: - - Attacker - - name: url - type: URL String - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - entityType - - filePath - - processCommandLine - - ipAddress - - registryKey - - url - - fileName - - risk_score - - firstTime - - lastTime - - src - - severity - - annotations.mitre_attack - - signature - - user - risk_score: 81 security_domain: endpoint manual_test: We are dynamically creating the risk_score field based on the severity of the alert in the SPL and that supersedes the risk score set in the detection. Setting these to manual test since otherwise we fail integration testing. The detection is also failing on unit-testing as some of the fields set in the observables are empty. tests: diff --git a/detections/endpoint/microsoft_defender_incident_alerts.yml b/detections/endpoint/microsoft_defender_incident_alerts.yml index bbf690276f..a25edb92d9 100644 --- a/detections/endpoint/microsoft_defender_incident_alerts.yml +++ b/detections/endpoint/microsoft_defender_incident_alerts.yml @@ -42,61 +42,11 @@ tags: - Critical Alerts asset_type: Endpoint atomic_guid: [] - confidence: 90 - impact: 90 - message: $severity$ alert for $dest$ - $signature$ mitre_attack_id: [] - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim - - name: file_name - type: File Name - role: - - Attacker - - name: process - type: Process Name - role: - - Attacker - - name: ip_address - type: IP Address - role: - - Attacker - - name: registry_key - type: Registry Key - role: - - Attacker - - name: url - type: URL String - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - entityType - - filePath - - processCommandLine - - ipAddress - - registryKey - - url - - fileName - - risk_score - - firstTime - - lastTime - - src - - severity - - annotations.mitre_attack.mitre_technique_id - - signature - - user - risk_score: 81 security_domain: endpoint manual_test: We are dynamically creating the risk_score field based on the severity of the alert in the SPL and that supersedes the risk score set in the detection. Setting these to manual test since otherwise we fail integration testing. The detection is also failing on unit-testing as some of the fields set in the observables are empty. tests: diff --git a/detections/endpoint/potential_system_network_configuration_discovery_activity.yml b/detections/endpoint/potential_system_network_configuration_discovery_activity.yml index 8735dc9e4f..6cd7997756 100644 --- a/detections/endpoint/potential_system_network_configuration_discovery_activity.yml +++ b/detections/endpoint/potential_system_network_configuration_discovery_activity.yml @@ -27,46 +27,12 @@ tags: analytic_story: - Unusual Processes asset_type: Endpoint - confidence: 50 - impact: 50 - message: An instance of $parent_process_name$ spawning multiple network discovery processes such as $process_name$ was identified on endpoint $dest$ by user $user$. mitre_attack_id: - T1016 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml b/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml index 44681b760d..b6d6b21dc1 100644 --- a/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml +++ b/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml @@ -35,33 +35,13 @@ tags: - Malicious PowerShell - Data Destruction asset_type: Endpoint - confidence: 80 - impact: 70 - message: A suspicious powershell script that contains calls to reflective class assembly command in $ScriptBlockText$ is potentially trying to load malicious .NET code in memory in host $Computer$ mitre_attack_id: - T1059 - T1059.001 - observable: - - name: Computer - type: Hostname - role: - - Victim - - name: UserID - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - ScriptBlockText - - Opcode - - Computer - - UserID - - EventCode - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/print_spooler_failed_to_load_a_plug_in.yml b/detections/endpoint/print_spooler_failed_to_load_a_plug_in.yml index 509c62f4b1..598dfc25f6 100644 --- a/detections/endpoint/print_spooler_failed_to_load_a_plug_in.yml +++ b/detections/endpoint/print_spooler_failed_to_load_a_plug_in.yml @@ -29,31 +29,16 @@ tags: analytic_story: - PrintNightmare CVE-2021-34527 asset_type: Endpoint - confidence: 90 cve: - CVE-2021-34527 - CVE-2021-1675 - impact: 80 - message: Suspicious printer spooler errors have occurred on endpoint $ComputerName$ with EventCode $EventCode$. mitre_attack_id: - T1547.012 - T1547 - observable: - - name: ComputerName - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - OpCode - - EventCode - - ComputerName - - Message - risk_score: 72 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/shim_database_installation_with_suspicious_parameters.yml b/detections/endpoint/shim_database_installation_with_suspicious_parameters.yml index b93fb7da28..9a524277f3 100644 --- a/detections/endpoint/shim_database_installation_with_suspicious_parameters.yml +++ b/detections/endpoint/shim_database_installation_with_suspicious_parameters.yml @@ -40,33 +40,13 @@ tags: - Windows Persistence Techniques - Compromised Windows Host asset_type: Endpoint - confidence: 90 - impact: 70 - message: A process $process_name$ that possible create a shim db silently in host - $dest$ mitre_attack_id: - T1546.011 - T1546 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process_name - - Processes.parent_process_name - - Processes.dest - - Processes.user - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_attempt_to_stop_security_service.yml b/detections/endpoint/windows_attempt_to_stop_security_service.yml index 1083c18407..36347b3b34 100644 --- a/detections/endpoint/windows_attempt_to_stop_security_service.yml +++ b/detections/endpoint/windows_attempt_to_stop_security_service.yml @@ -34,47 +34,13 @@ tags: - Azorult - Trickbot asset_type: Endpoint - confidence: 80 - impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified attempting to disable security services on endpoint $dest$ by user $user$. mitre_attack_id: - T1562.001 - T1562 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_bitlockertogo_process_execution.yml b/detections/endpoint/windows_bitlockertogo_process_execution.yml index 61c3ece759..a6607a72a8 100644 --- a/detections/endpoint/windows_bitlockertogo_process_execution.yml +++ b/detections/endpoint/windows_bitlockertogo_process_execution.yml @@ -42,15 +42,6 @@ tags: asset_type: Endpoint mitre_attack_id: - T1218 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security diff --git a/detections/endpoint/windows_bitlockertogo_with_network_activity.yml b/detections/endpoint/windows_bitlockertogo_with_network_activity.yml index 697b12d58d..9be44cb329 100644 --- a/detections/endpoint/windows_bitlockertogo_with_network_activity.yml +++ b/detections/endpoint/windows_bitlockertogo_with_network_activity.yml @@ -38,11 +38,6 @@ tags: asset_type: Endpoint mitre_attack_id: - T1218 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security diff --git a/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml b/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml index 647d330d1f..bfea210231 100644 --- a/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml +++ b/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml @@ -37,47 +37,13 @@ tags: - CISA AA23-347A - Gozi Malware asset_type: Endpoint - confidence: 40 - impact: 40 - message: $process_name$ was spawned from an uncommon parent process $parent_process_name$ on $dest$. mitre_attack_id: - T1059 - T1059.007 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 16 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_common_abused_cmd_shell_risk_behavior.yml b/detections/endpoint/windows_common_abused_cmd_shell_risk_behavior.yml index 43e057c70d..8e8aba3b57 100644 --- a/detections/endpoint/windows_common_abused_cmd_shell_risk_behavior.yml +++ b/detections/endpoint/windows_common_abused_cmd_shell_risk_behavior.yml @@ -36,9 +36,6 @@ tags: - CISA AA23-347A - Disabling Security Tools asset_type: Endpoint - confidence: 70 - impact: 70 - message: series of process commandline being abused by threat actor have been identified on $risk_object$ mitre_attack_id: - T1222 - T1049 @@ -46,23 +43,10 @@ tags: - T1529 - T1016 - T1059 - observable: - - name: risk_object - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 - required_fields: - - _time - - All_Risk.analyticstories - - All_Risk.risk_object_type - - All_Risk.risk_object - - All_Risk.annotations.mitre_attack.mitre_tactic - - source security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_create_local_administrator_account_via_net.yml b/detections/endpoint/windows_create_local_administrator_account_via_net.yml index 8d655f6725..90f25d28e9 100644 --- a/detections/endpoint/windows_create_local_administrator_account_via_net.yml +++ b/detections/endpoint/windows_create_local_administrator_account_via_net.yml @@ -31,47 +31,13 @@ tags: - DarkGate Malware - CISA AA24-241A asset_type: Endpoint - confidence: 60 - impact: 50 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to add a user to the local Administrators group. mitre_attack_id: - T1136.001 - T1136 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 30 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_domain_admin_impersonation_indicator.yml b/detections/endpoint/windows_domain_admin_impersonation_indicator.yml index 1f4c9d8bfa..1bee496a19 100644 --- a/detections/endpoint/windows_domain_admin_impersonation_indicator.yml +++ b/detections/endpoint/windows_domain_admin_impersonation_indicator.yml @@ -65,28 +65,12 @@ tags: - Compromised Windows Host - Active Directory Privilege Escalation asset_type: Endpoint - confidence: 100 - impact: 80 - message: $TargetUserName$ may be impersonating a Domain Administrator through a - forged Kerberos ticket. mitre_attack_id: - T1558 - observable: - - name: TargetUserName - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 80 - required_fields: - - _time, - - EventCode - - LogonType - - TargetUserName - - GroupMembership security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_esx_admins_group_creation_via_net.yml b/detections/endpoint/windows_esx_admins_group_creation_via_net.yml index 61ff643051..b404ba054e 100644 --- a/detections/endpoint/windows_esx_admins_group_creation_via_net.yml +++ b/detections/endpoint/windows_esx_admins_group_creation_via_net.yml @@ -30,35 +30,13 @@ tags: analytic_story: - VMware ESXi AD Integration Authentication Bypass CVE-2024-37085 asset_type: Endpoint - confidence: 70 - impact: 80 - message: An attempt to create an "ESX Admins" group was detected on $dest$ by user $user$. mitre_attack_id: - T1136.002 - T1136.001 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.original_file_name risk_score: 56 security_domain: endpoint cve: diff --git a/detections/endpoint/windows_excessive_service_stop_attempt.yml b/detections/endpoint/windows_excessive_service_stop_attempt.yml index 2ae9713bcd..de83371e43 100644 --- a/detections/endpoint/windows_excessive_service_stop_attempt.yml +++ b/detections/endpoint/windows_excessive_service_stop_attempt.yml @@ -30,38 +30,12 @@ tags: - Ransomware - BlackByte Ransomware asset_type: Endpoint - confidence: 100 - impact: 80 - message: An excessive amount of $process_name$ was executed on $dest$ attempting to disable services. mitre_attack_id: - T1489 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_excessive_usage_of_net_app.yml b/detections/endpoint/windows_excessive_usage_of_net_app.yml index 3cbb7b6a9d..6c507c45d5 100644 --- a/detections/endpoint/windows_excessive_usage_of_net_app.yml +++ b/detections/endpoint/windows_excessive_usage_of_net_app.yml @@ -34,42 +34,12 @@ tags: - Ransomware - Rhysida Ransomware asset_type: Endpoint - confidence: 70 - impact: 40 - message: Excessive usage of net1.exe or net.exe within 1m, with command line $process$ has been detected on $dest$ by $user$ mitre_attack_id: - T1531 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Endpoint - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 28 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_group_discovery_via_net.yml b/detections/endpoint/windows_group_discovery_via_net.yml index f63eadc65a..b351dac9de 100644 --- a/detections/endpoint/windows_group_discovery_via_net.yml +++ b/detections/endpoint/windows_group_discovery_via_net.yml @@ -32,35 +32,14 @@ tags: - Windows Discovery Techniques - Azorult asset_type: Endpoint - confidence: 50 - impact: 30 - message: Local or domain group enumeration on $dest$ by $user$ mitre_attack_id: - T1069 - T1069.001 - T1069.002 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_http_network_communication_from_msiexec.yml b/detections/endpoint/windows_http_network_communication_from_msiexec.yml index 90fead6067..75bf669de1 100644 --- a/detections/endpoint/windows_http_network_communication_from_msiexec.yml +++ b/detections/endpoint/windows_http_network_communication_from_msiexec.yml @@ -27,45 +27,12 @@ tags: analytic_story: - Windows System Binary Proxy Execution MSIExec asset_type: Endpoint - confidence: 50 - impact: 50 - message: An instance of $process_name$ was identified on endpoint $dest$ contacting a remote destination $dest_ip$ on port $dest_port$ mitre_attack_id: - T1218.007 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process Name - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.process_id - - Processes.process_name - - Processes.dest - - Processes.process_path - - Processes.process - - Processes.parent_process_name - - All_Traffic.process_id - - All_Traffic.dest - - All_Traffic.dest_port - - All_Traffic.dest_ip - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_list_env_variables_via_set_command_from_uncommon_parent.yml b/detections/endpoint/windows_list_env_variables_via_set_command_from_uncommon_parent.yml index c2ca59a1d5..f83e86cb4c 100644 --- a/detections/endpoint/windows_list_env_variables_via_set_command_from_uncommon_parent.yml +++ b/detections/endpoint/windows_list_env_variables_via_set_command_from_uncommon_parent.yml @@ -28,34 +28,12 @@ tags: analytic_story: - Qakbot asset_type: Endpoint - confidence: 50 - impact: 50 - message: $parent_process_name$ Spawned $process_name$ with a commandline $process$ in $dest$ mitre_attack_id: - T1055 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_network_connection_discovery_via_net.yml b/detections/endpoint/windows_network_connection_discovery_via_net.yml index cdba356391..85a981ccaf 100644 --- a/detections/endpoint/windows_network_connection_discovery_via_net.yml +++ b/detections/endpoint/windows_network_connection_discovery_via_net.yml @@ -22,33 +22,12 @@ tags: - Windows Post-Exploitation - Prestige Ransomware asset_type: Endpoint - confidence: 50 - impact: 30 - message: Network Connection discovery on $dest$ by $user$ mitre_attack_id: - T1049 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_network_share_interaction_via_net.yml b/detections/endpoint/windows_network_share_interaction_via_net.yml index f8098110ef..8fb2277403 100644 --- a/detections/endpoint/windows_network_share_interaction_via_net.yml +++ b/detections/endpoint/windows_network_share_interaction_via_net.yml @@ -32,34 +32,13 @@ tags: asset_type: Endpoint atomic_guid: - ab39a04f-0c93-4540-9ff2-83f862c385ae - confidence: 100 - impact: 20 - message: User $user$ leveraged net.exe on $dest$ to interact with network shares, executed by parent process $parent_process$ mitre_attack_id: - T1135 - T1039 - required_fields: - - Processes.process_name - - Processes.user - - Processes.dest - - Processes.process_exec - - Processes.parent_process_exec - - Processes.process - - Processes.parent_process - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 20 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_new_default_file_association_value_set.yml b/detections/endpoint/windows_new_default_file_association_value_set.yml index d6f71a881f..3b77265c00 100644 --- a/detections/endpoint/windows_new_default_file_association_value_set.yml +++ b/detections/endpoint/windows_new_default_file_association_value_set.yml @@ -31,33 +31,13 @@ tags: - Windows Persistence Techniques - Data Destruction asset_type: Endpoint - confidence: 50 - impact: 50 - message: Default file association for $registry_path$ was modified to $registry_value_data$ in $dest$. mitre_attack_id: - T1546.001 - T1546 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.dest - - Registry.user - - Registry.registry_path - - Registry.registry_key_name - - Registry.registry_value_name - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_office_product_dropped_cab_or_inf_file.yml b/detections/endpoint/windows_office_product_dropped_cab_or_inf_file.yml index 00b394fcb1..af6dcfcbad 100644 --- a/detections/endpoint/windows_office_product_dropped_cab_or_inf_file.yml +++ b/detections/endpoint/windows_office_product_dropped_cab_or_inf_file.yml @@ -41,36 +41,15 @@ tags: - Microsoft MSHTML Remote Code Execution CVE-2021-40444 - Compromised Windows Host asset_type: Endpoint - confidence: 100 cve: - CVE-2021-40444 - impact: 80 - message: An instance of $process_name$ was identified on $dest$ writing a .inf or .cab file. This is uncommon behavior and require further investigation. mitre_attack_id: - T1566 - T1566.001 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - dest - - process_name - - process - - file_create_time - - file_name - - file_path - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_office_product_dropped_uncommon_file.yml b/detections/endpoint/windows_office_product_dropped_uncommon_file.yml index 58ff81e65e..bddfbc1e24 100644 --- a/detections/endpoint/windows_office_product_dropped_uncommon_file.yml +++ b/detections/endpoint/windows_office_product_dropped_uncommon_file.yml @@ -39,33 +39,13 @@ tags: - AgentTesla - PlugX asset_type: Endpoint - confidence: 60 - impact: 60 - message: An instance of $process_name$ was identified on $dest$ writing the file $file_name$. This is uncommon behavior and require further investigation. mitre_attack_id: - T1566 - T1566.001 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - process_name - - file_name - - process_guid - - dest - - user_id - risk_score: 36 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_office_product_loaded_mshtml_module.yml b/detections/endpoint/windows_office_product_loaded_mshtml_module.yml index 6b17ff86fd..531428723b 100644 --- a/detections/endpoint/windows_office_product_loaded_mshtml_module.yml +++ b/detections/endpoint/windows_office_product_loaded_mshtml_module.yml @@ -31,35 +31,15 @@ tags: - Microsoft MSHTML Remote Code Execution CVE-2021-40444 - CVE-2023-36884 Office and Windows HTML RCE Vulnerability asset_type: Endpoint - confidence: 100 cve: - CVE-2021-40444 - impact: 80 - message: An instance of $process_name$ was identified on endpoint $dest$ loading mshtml.dll. mitre_attack_id: - T1566 - T1566.001 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - ImageLoaded - - process_name - - OriginalFileName - - process_id - - dest - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_office_product_loading_taskschd_dll.yml b/detections/endpoint/windows_office_product_loading_taskschd_dll.yml index 242d4caaea..9dfd532495 100644 --- a/detections/endpoint/windows_office_product_loading_taskschd_dll.yml +++ b/detections/endpoint/windows_office_product_loading_taskschd_dll.yml @@ -28,32 +28,13 @@ tags: analytic_story: - Spearphishing Attachments asset_type: Endpoint - confidence: 50 - impact: 50 - message: $process_name$ was identified loading the taskschd.dll on $dest$. This could indicate a potential malicious macro being executed. Further analysis is required. mitre_attack_id: - T1566 - T1566.001 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - ImageLoaded - - AllImageLoaded - - dest - - EventCode - - Image - - process_name - - ProcessId - - ProcessGuid - - _time - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_office_product_loading_vbe7_dll.yml b/detections/endpoint/windows_office_product_loading_vbe7_dll.yml index 7486928eaa..585cca431d 100644 --- a/detections/endpoint/windows_office_product_loading_vbe7_dll.yml +++ b/detections/endpoint/windows_office_product_loading_vbe7_dll.yml @@ -40,32 +40,13 @@ tags: - PlugX - NjRAT asset_type: Endpoint - confidence: 50 - impact: 50 - message: $process_name$ was identified loading $loaded_file_path$ on $dest$. This could indicate a potential malicious macro being executed. Further analysis is required. mitre_attack_id: - T1566 - T1566.001 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - ImageLoaded - - AllImageLoaded - - dest - - EventCode - - Image - - process_name - - ProcessId - - ProcessGuid - - _time - risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_office_product_spawned_child_process_for_download.yml b/detections/endpoint/windows_office_product_spawned_child_process_for_download.yml index 1736227ef8..1d46e41096 100644 --- a/detections/endpoint/windows_office_product_spawned_child_process_for_download.yml +++ b/detections/endpoint/windows_office_product_spawned_child_process_for_download.yml @@ -32,35 +32,13 @@ tags: - PlugX - NjRAT asset_type: Endpoint - confidence: 50 - impact: 70 - message: Office document spawning suspicious child process on $dest$ mitre_attack_id: - T1566 - T1566.001 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_office_product_spawned_control.yml b/detections/endpoint/windows_office_product_spawned_control.yml index e69030ff03..0878b4d611 100644 --- a/detections/endpoint/windows_office_product_spawned_control.yml +++ b/detections/endpoint/windows_office_product_spawned_control.yml @@ -56,45 +56,15 @@ tags: - Microsoft MSHTML Remote Code Execution CVE-2021-40444 - Compromised Windows Host asset_type: Endpoint - confidence: 100 cve: - CVE-2021-40444 - impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ clicking a suspicious attachment. mitre_attack_id: - T1566 - T1566.001 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 80 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_office_product_spawned_msdt.yml b/detections/endpoint/windows_office_product_spawned_msdt.yml index 0f67d0dab1..51adb635a8 100644 --- a/detections/endpoint/windows_office_product_spawned_msdt.yml +++ b/detections/endpoint/windows_office_product_spawned_msdt.yml @@ -56,32 +56,11 @@ tags: - Compromised Windows Host - Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190 asset_type: Endpoint - confidence: 100 cve: - CVE-2022-30190 - impact: 100 - message: Office parent process $parent_process_name$ has spawned a child process - $process_name$ on host $dest$. mitre_attack_id: - T1566 - T1566.001 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security @@ -99,7 +78,6 @@ tags: - Processes.parent_process_path - Processes.process_path - Processes.parent_process_id - risk_score: 100 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_office_product_spawned_rundll32_with_no_dll.yml b/detections/endpoint/windows_office_product_spawned_rundll32_with_no_dll.yml index 53b0bfcd5c..0a3ad75c8d 100644 --- a/detections/endpoint/windows_office_product_spawned_rundll32_with_no_dll.yml +++ b/detections/endpoint/windows_office_product_spawned_rundll32_with_no_dll.yml @@ -53,41 +53,13 @@ tags: - CVE-2023-36884 Office and Windows HTML RCE Vulnerability - Compromised Windows Host asset_type: Endpoint - confidence: 90 - impact: 70 - message: office parent process $parent_process_name$ will execute a suspicious child - process $process_name$ with process id $process_id$ and no dll commandline $process$ - in host $dest$ mitre_attack_id: - T1566 - T1566.001 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_office_product_spawned_uncommon_process.yml b/detections/endpoint/windows_office_product_spawned_uncommon_process.yml index 6ff3bac2c6..6894764e34 100644 --- a/detections/endpoint/windows_office_product_spawned_uncommon_process.yml +++ b/detections/endpoint/windows_office_product_spawned_uncommon_process.yml @@ -61,48 +61,13 @@ tags: - Trickbot - Warzone RAT asset_type: Endpoint - confidence: 100 - impact: 100 - message: Office process $parent_process_name$ spawned a potentially suspicious child - process $process_name$ with process id $process_id$ in host $dest$ mitre_attack_id: - T1566 - T1566.001 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 100 security_domain: endpoint tests: - name: True Positive Test - Macro diff --git a/detections/endpoint/windows_password_policy_discovery_with_net.yml b/detections/endpoint/windows_password_policy_discovery_with_net.yml index 1c79471ad6..9253379379 100644 --- a/detections/endpoint/windows_password_policy_discovery_with_net.yml +++ b/detections/endpoint/windows_password_policy_discovery_with_net.yml @@ -19,39 +19,12 @@ tags: analytic_story: - Active Directory Discovery asset_type: Endpoint - confidence: 30 - impact: 30 - message: an instance of process $process_name$ with commandline $process$ in $dest$ mitre_attack_id: - T1201 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_id - - Processes.parent_process_name - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_registry_entries_exported_via_reg.yml b/detections/endpoint/windows_registry_entries_exported_via_reg.yml index b8bc479897..594d20607e 100644 --- a/detections/endpoint/windows_registry_entries_exported_via_reg.yml +++ b/detections/endpoint/windows_registry_entries_exported_via_reg.yml @@ -23,40 +23,12 @@ tags: - CISA AA23-347A - Prestige Ransomware asset_type: Endpoint - confidence: 30 - impact: 30 - message: execution of process $process_name$ in $dest$ mitre_attack_id: - T1012 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - - Processes.parent_process_guid - - Processes.process_guid - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_registry_entries_restored_via_reg.yml b/detections/endpoint/windows_registry_entries_restored_via_reg.yml index a443300194..39e55f7395 100644 --- a/detections/endpoint/windows_registry_entries_restored_via_reg.yml +++ b/detections/endpoint/windows_registry_entries_restored_via_reg.yml @@ -22,40 +22,12 @@ tags: - Windows Post-Exploitation - Prestige Ransomware asset_type: Endpoint - confidence: 30 - impact: 30 - message: execution of process $process_name$ in $dest$ mitre_attack_id: - T1012 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - - Processes.parent_process_guid - - Processes.process_guid - risk_score: 9 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_sensitive_group_discovery_with_net.yml b/detections/endpoint/windows_sensitive_group_discovery_with_net.yml index d02a2c241a..5bafee9f07 100644 --- a/detections/endpoint/windows_sensitive_group_discovery_with_net.yml +++ b/detections/endpoint/windows_sensitive_group_discovery_with_net.yml @@ -36,34 +36,13 @@ tags: - BlackSuit Ransomware - IcedID asset_type: Endpoint - confidence: 70 - impact: 30 - message: Elevated domain group discovery enumeration on $dest$ by $user$ mitre_attack_id: - T1069 - T1069.002 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 21 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_sensitive_registry_hive_dump_via_commandline.yml b/detections/endpoint/windows_sensitive_registry_hive_dump_via_commandline.yml index 486b60664a..83995aa775 100644 --- a/detections/endpoint/windows_sensitive_registry_hive_dump_via_commandline.yml +++ b/detections/endpoint/windows_sensitive_registry_hive_dump_via_commandline.yml @@ -38,43 +38,13 @@ tags: - Volt Typhoon - Windows Registry Abuse asset_type: Endpoint - confidence: 70 - impact: 80 - message: Suspicious use of `reg.exe` or `regedit.exe` to export sensitive registry hives that could potentially contain credentials, executed on $dest$ by user $user$, with a parent process of $parent_process_name$ mitre_attack_id: - T1003.002 - T1003 - observable: - - name: user - type: User - role: - - Victim - - name: dest - type: Endpoint - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test - Sysmon diff --git a/detections/endpoint/windows_service_creation.yml b/detections/endpoint/windows_service_creation.yml index b36adf5b71..b668074316 100644 --- a/detections/endpoint/windows_service_creation.yml +++ b/detections/endpoint/windows_service_creation.yml @@ -41,29 +41,12 @@ tags: - PlugX - CISA AA23-347A asset_type: Endpoint - confidence: 80 - impact: 80 - message: A Windows Service was created on a endpoint from $dest$ using a registry entry mitre_attack_id: - T1574.011 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Registry.dest - - Registry.registry_value_name - - Registry.registry_key_name - - Registry.registry_path - - Registry.registry_value_data - - Registry.process_guid - risk_score: 64 security_domain: endpoint tests: - name: True Positive Test From 8cf6cfecf640894f61704b9afaa40d7c1773a793 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Wed, 22 Jan 2025 20:18:12 +0100 Subject: [PATCH 27/37] rba changes --- .../excel_spawning_windows_script_host.yml | 19 +++++++- .../office_product_spawning_mshta.yml | 37 +++++----------- ...e_product_spawning_windows_script_host.yml | 44 +++++-------------- .../office_product_spawning_wmic.yml | 37 +++++----------- .../deprecated/winword_spawning_cmd.yml | 44 ++++++------------- .../winword_spawning_windows_script_host.yml | 37 +++++----------- .../linux_auditd_add_user_account.yml | 7 +++ .../linux_auditd_add_user_account_type.yml | 7 +++ .../linux_auditd_at_application_execution.yml | 8 ++++ .../linux_auditd_auditd_service_stop.yml | 7 +++ .../linux_auditd_base64_decode_files.yml | 8 ++++ ...linux_auditd_change_file_owner_to_root.yml | 8 ++++ .../linux_auditd_clipboard_data_copy.yml | 9 +++- .../linux_auditd_data_destruction_command.yml | 7 +++ ...td_data_transfer_size_limits_via_split.yml | 7 +++ ...transfer_size_limits_via_split_syscall.yml | 8 ++++ ..._database_file_and_directory_discovery.yml | 8 ++++ .../linux_auditd_dd_file_overwrite.yml | 7 +++ ...ditd_disable_or_modify_system_firewall.yml | 8 ++++ .../linux_auditd_doas_conf_file_creation.yml | 7 +++ .../linux_auditd_doas_tool_execution.yml | 8 ++++ ...linux_auditd_edit_cron_table_parameter.yml | 8 ++++ ...ux_auditd_file_and_directory_discovery.yml | 12 +++-- ...le_permissions_modification_via_chattr.yml | 8 ++++ ...ind_credentials_from_password_managers.yml | 8 ++++ ..._find_credentials_from_password_stores.yml | 8 ++++ .../linux_auditd_find_ssh_private_keys.yml | 8 ++++ ...linux_auditd_hardware_addition_swapoff.yml | 9 +++- ..._hidden_files_and_directories_creation.yml | 7 +++ ...l_kernel_module_using_modprobe_utility.yml | 8 ++++ ...ditd_kernel_module_using_rmmod_utility.yml | 8 ++++ ..._auditd_nopasswd_entry_in_sudoers_file.yml | 8 ++++ .../linux_auditd_osquery_service_stop.yml | 8 ++++ ...ss_or_modification_of_sshd_config_file.yml | 8 ++++ ...td_possible_access_to_credential_files.yml | 8 ++++ ...auditd_possible_access_to_sudoers_file.yml | 8 ++++ ...ux_auditd_preload_hijack_library_calls.yml | 8 ++++ ...auditd_preload_hijack_via_preload_file.yml | 7 +++ ...ivate_keys_and_certificate_enumeration.yml | 7 +++ .../linux_auditd_service_restarted.yml | 8 ++++ .../endpoint/linux_auditd_service_started.yml | 8 ++++ ...inux_auditd_setuid_using_chmod_utility.yml | 8 ++++ ...nux_auditd_setuid_using_setcap_utility.yml | 8 ++++ .../linux_auditd_shred_overwrite_command.yml | 8 ++++ .../endpoint/linux_auditd_stop_services.yml | 8 ++++ .../linux_auditd_sudo_or_su_execution.yml | 8 ++++ .../linux_auditd_sysmon_service_stop.yml | 8 ++++ ...system_network_configuration_discovery.yml | 8 ++++ ..._unix_shell_configuration_modification.yml | 8 ++++ ...inux_auditd_unload_module_via_modprobe.yml | 8 ++++ ...tual_disk_file_and_directory_discovery.yml | 8 ++++ .../linux_auditd_whoami_user_discovery.yml | 8 ++++ ...hell_process___execution_policy_bypass.yml | 7 +++ .../microsoft_defender_atp_alerts.yml | 20 +++++++++ .../microsoft_defender_incident_alerts.yml | 20 +++++++++ ...twork_configuration_discovery_activity.yml | 16 +++++++ ...ding_dotnet_into_memory_via_reflection.yml | 12 +++++ ...print_spooler_failed_to_load_a_plug_in.yml | 8 ++++ ...nstallation_with_suspicious_parameters.yml | 11 +++++ ...ndows_attempt_to_stop_security_service.yml | 15 +++++++ ...indows_bitlockertogo_process_execution.yml | 9 ++++ ...ws_bitlockertogo_with_network_activity.yml | 5 +++ ..._tool_execution_from_non_shell_process.yml | 15 +++++++ ...te_local_administrator_account_via_net.yml | 16 +++++++ ...s_domain_admin_impersonation_indicator.yml | 8 ++++ ...dows_esx_admins_group_creation_via_net.yml | 12 ++++- ...windows_excessive_service_stop_attempt.yml | 10 +++++ .../windows_excessive_usage_of_net_app.yml | 13 ++++++ ...ttp_network_communication_from_msiexec.yml | 15 +++++++ ...s_via_set_command_from_uncommon_parent.yml | 8 ++++ ...dows_network_share_interaction_via_net.yml | 11 +++++ ...office_product_dropped_cab_or_inf_file.yml | 10 +++++ ...s_office_product_dropped_uncommon_file.yml | 9 ++++ ...ws_office_product_loaded_mshtml_module.yml | 10 +++++ ...ws_office_product_loading_taskschd_dll.yml | 8 ++++ ...indows_office_product_loading_vbe7_dll.yml | 7 +++ ...uct_spawned_child_process_for_download.yml | 7 +++ ...windows_office_product_spawned_control.yml | 12 +++++ .../windows_office_product_spawned_msdt.yml | 15 +++++++ ...e_product_spawned_rundll32_with_no_dll.yml | 11 +++++ ...ffice_product_spawned_uncommon_process.yml | 12 +++++ ...ows_sensitive_group_discovery_with_net.yml | 7 +++ ...ive_registry_hive_dump_via_commandline.yml | 13 ++++++ .../endpoint/windows_service_creation.yml | 8 ++++ macros/process_office_products.yml | 2 +- 85 files changed, 792 insertions(+), 152 deletions(-) rename detections/{endpoint => deprecated}/excel_spawning_windows_script_host.yml (90%) diff --git a/detections/endpoint/excel_spawning_windows_script_host.yml b/detections/deprecated/excel_spawning_windows_script_host.yml similarity index 90% rename from detections/endpoint/excel_spawning_windows_script_host.yml rename to detections/deprecated/excel_spawning_windows_script_host.yml index 25eb6d0890..70da2b9f10 100644 --- a/detections/endpoint/excel_spawning_windows_script_host.yml +++ b/detections/deprecated/excel_spawning_windows_script_host.yml @@ -1,9 +1,9 @@ name: Excel Spawning Windows Script Host id: 57fe880a-9be3-11eb-9bf3-acde48001122 -version: 7 +version: 8 date: '2025-01-13' author: Michael Haag, Splunk -status: production +status: deprecated type: TTP description: The following analytic has been deprecated in favour of a more generic approach. The following analytic identifies instances where Microsoft Excel spawns @@ -53,6 +53,21 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$, indicating potential suspicious macro execution. + risk_objects: + - field: user + type: user + score: 80 + - field: dest + type: system + score: 80 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Spearphishing Attachments diff --git a/detections/deprecated/office_product_spawning_mshta.yml b/detections/deprecated/office_product_spawning_mshta.yml index 727712a09b..966d3f3b98 100644 --- a/detections/deprecated/office_product_spawning_mshta.yml +++ b/detections/deprecated/office_product_spawning_mshta.yml @@ -51,6 +51,16 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Office process $parent_process_name$ observed executing a suspicious child + process $process_name$ with process id $process_id$ on host $dest$ + risk_objects: + - field: dest + type: system + score: 63 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Azorult @@ -60,40 +70,13 @@ tags: - NjRAT - CVE-2023-36884 Office and Windows HTML RCE Vulnerability asset_type: Endpoint - confidence: 90 - impact: 70 - message: office parent process $parent_process_name$ will execute a suspicious child - process $process_name$ with process id $process_id$ in host $dest$ mitre_attack_id: - T1566 - T1566.001 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/deprecated/office_product_spawning_windows_script_host.yml b/detections/deprecated/office_product_spawning_windows_script_host.yml index 0a0e918fef..20ee47bc5c 100644 --- a/detections/deprecated/office_product_spawning_windows_script_host.yml +++ b/detections/deprecated/office_product_spawning_windows_script_host.yml @@ -54,6 +54,18 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Office process $parent_process_name$ observed executing a suspicious child + process $process_name$ on host $dest$. + risk_objects: + - field: dest + type: system + score: 63 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Spearphishing Attachments @@ -61,44 +73,13 @@ tags: - CVE-2023-36884 Office and Windows HTML RCE Vulnerability - Compromised Windows Host asset_type: Endpoint - confidence: 90 - impact: 70 - message: office parent process $parent_process_name$ will execute a suspicious child - process $process_name$ on host $dest$. mitre_attack_id: - T1566 - T1566.001 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: parent_process_name - type: Process - role: - - Attacker - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test @@ -106,4 +87,3 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.002/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/deprecated/office_product_spawning_wmic.yml b/detections/deprecated/office_product_spawning_wmic.yml index 477df1d5cc..6360ea5c4e 100644 --- a/detections/deprecated/office_product_spawning_wmic.yml +++ b/detections/deprecated/office_product_spawning_wmic.yml @@ -54,6 +54,16 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Office process $parent_process_name$ observed executing a suspicious child + process $process_name$ with process id $process_id$ on host $dest$ + risk_objects: + - field: dest + type: system + score: 63 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Spearphishing Attachments @@ -61,40 +71,13 @@ tags: - CVE-2023-36884 Office and Windows HTML RCE Vulnerability - FIN7 asset_type: Endpoint - confidence: 90 - impact: 70 - message: office parent process $parent_process_name$ will execute a suspicious child - process $process_name$ with process id $process_id$ in host $dest$ mitre_attack_id: - T1566 - T1566.001 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: process_name - type: Process Name - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 63 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/deprecated/winword_spawning_cmd.yml b/detections/deprecated/winword_spawning_cmd.yml index ea5336cf1b..5760517a84 100644 --- a/detections/deprecated/winword_spawning_cmd.yml +++ b/detections/deprecated/winword_spawning_cmd.yml @@ -51,6 +51,19 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: '$parent_process_name$ on $dest$ by $user$ launched command: $process_name$ + which is very common in spearphishing attacks.' + risk_objects: + - field: dest + type: system + score: 70 + - field: user + type: user + score: 70 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Spearphishing Attachments @@ -58,44 +71,13 @@ tags: - CVE-2023-21716 Word RTF Heap Corruption - DarkCrystal RAT asset_type: Endpoint - confidence: 100 - impact: 70 - message: '$parent_process_name$ on $dest$ by $user$ launched command: $process_name$ - which is very common in spearphishing attacks.' mitre_attack_id: - T1566 - T1566.001 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 70 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/deprecated/winword_spawning_windows_script_host.yml b/detections/deprecated/winword_spawning_windows_script_host.yml index 52d3046d40..16ee7d84c1 100644 --- a/detections/deprecated/winword_spawning_windows_script_host.yml +++ b/detections/deprecated/winword_spawning_windows_script_host.yml @@ -51,44 +51,31 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user$ on $dest$ spawned Windows Script Host from Winword.exe + risk_objects: + - field: dest + type: system + score: 70 + - field: user + type: user + score: 70 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Spearphishing Attachments - Compromised Windows Host - CVE-2023-21716 Word RTF Heap Corruption asset_type: Endpoint - confidence: 100 - impact: 70 - message: User $user$ on $dest$ spawned Windows Script Host from Winword.exe mitre_attack_id: - T1566 - T1566.001 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - process_name - - process_id - - parent_process_name - - dest - - user - - parent_process_id - risk_score: 70 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_add_user_account.yml b/detections/endpoint/linux_auditd_add_user_account.yml index 6c10c6f275..deb04b7e4d 100644 --- a/detections/endpoint/linux_auditd_add_user_account.yml +++ b/detections/endpoint/linux_auditd_add_user_account.yml @@ -22,6 +22,13 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$process_exec$] event occurred on host - [$dest$] to add a user account. + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Linux Privilege Escalation diff --git a/detections/endpoint/linux_auditd_add_user_account_type.yml b/detections/endpoint/linux_auditd_add_user_account_type.yml index b058a0c9f4..179bf9a925 100644 --- a/detections/endpoint/linux_auditd_add_user_account_type.yml +++ b/detections/endpoint/linux_auditd_add_user_account_type.yml @@ -22,6 +22,13 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: New [$type$] event on host - [$dest$] to add a user account type. + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Linux Living Off The Land diff --git a/detections/endpoint/linux_auditd_at_application_execution.yml b/detections/endpoint/linux_auditd_at_application_execution.yml index 0084dbce6d..ce87100fe8 100644 --- a/detections/endpoint/linux_auditd_at_application_execution.yml +++ b/detections/endpoint/linux_auditd_at_application_execution.yml @@ -23,6 +23,14 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A SYSCALL - [$comm$] event was executed on host - [$dest$] to execute the + "at" application. + risk_objects: + - field: dest + type: system + score: 9 + threat_objects: [] tags: analytic_story: - Scheduled Tasks diff --git a/detections/endpoint/linux_auditd_auditd_service_stop.yml b/detections/endpoint/linux_auditd_auditd_service_stop.yml index b3f8512259..dddc777142 100644 --- a/detections/endpoint/linux_auditd_auditd_service_stop.yml +++ b/detections/endpoint/linux_auditd_auditd_service_stop.yml @@ -22,6 +22,13 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A service event - [$type$] event occured on host - [$dest$]. + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Linux Living Off The Land diff --git a/detections/endpoint/linux_auditd_base64_decode_files.yml b/detections/endpoint/linux_auditd_base64_decode_files.yml index 38f0533d96..4c97560dad 100644 --- a/detections/endpoint/linux_auditd_base64_decode_files.yml +++ b/detections/endpoint/linux_auditd_base64_decode_files.yml @@ -23,6 +23,14 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$process_exec$] event occurred on host - [$dest$] to decode a file using + base64. + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Linux Living Off The Land diff --git a/detections/endpoint/linux_auditd_change_file_owner_to_root.yml b/detections/endpoint/linux_auditd_change_file_owner_to_root.yml index 13784c73f7..a45a65d0f8 100644 --- a/detections/endpoint/linux_auditd_change_file_owner_to_root.yml +++ b/detections/endpoint/linux_auditd_change_file_owner_to_root.yml @@ -23,6 +23,14 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$process_exec$] event occurred on host - [$dest$] to change a file owner + to root. + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Linux Living Off The Land diff --git a/detections/endpoint/linux_auditd_clipboard_data_copy.yml b/detections/endpoint/linux_auditd_clipboard_data_copy.yml index 4b3ad20b66..0a32d1b5d3 100644 --- a/detections/endpoint/linux_auditd_clipboard_data_copy.yml +++ b/detections/endpoint/linux_auditd_clipboard_data_copy.yml @@ -23,6 +23,14 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$process_exec$] event occurred on host - [$dest$] to copy data from + the clipboard. + risk_objects: + - field: dest + type: system + score: 16 + threat_objects: [] tags: analytic_story: - Linux Living Off The Land @@ -41,4 +49,3 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1115/linux_auditd_xclip/linux_auditd_xclip.log source: /var/log/audit/audit.log sourcetype: linux:audit - update_timestamp: true diff --git a/detections/endpoint/linux_auditd_data_destruction_command.yml b/detections/endpoint/linux_auditd_data_destruction_command.yml index e69160ec5f..0d435a8f23 100644 --- a/detections/endpoint/linux_auditd_data_destruction_command.yml +++ b/detections/endpoint/linux_auditd_data_destruction_command.yml @@ -23,6 +23,13 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$process_exec$] event occurred on host - [$dest$] to destroy data. + risk_objects: + - field: dest + type: system + score: 90 + threat_objects: [] tags: analytic_story: - Data Destruction diff --git a/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml index 2e2c6a3e6e..2c7f2eee4e 100644 --- a/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml +++ b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml @@ -22,6 +22,13 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$process_exec$] event occurred on host - [$dest$] to split a file. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Linux Living Off The Land diff --git a/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml index 9c30d10fae..798a41de8e 100644 --- a/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml +++ b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml @@ -22,6 +22,14 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A SYSCALL - [$comm$] event was executed on host - [$dest$] that limits + the size of data transfer. + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Linux Living Off The Land diff --git a/detections/endpoint/linux_auditd_database_file_and_directory_discovery.yml b/detections/endpoint/linux_auditd_database_file_and_directory_discovery.yml index ade8e0963c..d9643341cb 100644 --- a/detections/endpoint/linux_auditd_database_file_and_directory_discovery.yml +++ b/detections/endpoint/linux_auditd_database_file_and_directory_discovery.yml @@ -23,6 +23,14 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$process_exec$] event occurred on host - [$dest$] to discover database + files and directories. + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Linux Living Off The Land diff --git a/detections/endpoint/linux_auditd_dd_file_overwrite.yml b/detections/endpoint/linux_auditd_dd_file_overwrite.yml index 7582f3f830..6c9556388c 100644 --- a/detections/endpoint/linux_auditd_dd_file_overwrite.yml +++ b/detections/endpoint/linux_auditd_dd_file_overwrite.yml @@ -23,6 +23,13 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$process_exec$] event occurred on host - [$dest$]. + risk_objects: + - field: dest + type: system + score: 81 + threat_objects: [] tags: analytic_story: - Industroyer2 diff --git a/detections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml b/detections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml index e9ebbd65c8..f1a1585c55 100644 --- a/detections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml +++ b/detections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml @@ -22,6 +22,14 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A service event - [$type$] to disable or modify system firewall occured + on host - [$dest$] . + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Linux Living Off The Land diff --git a/detections/endpoint/linux_auditd_doas_conf_file_creation.yml b/detections/endpoint/linux_auditd_doas_conf_file_creation.yml index 06ac060b5a..55c71d3dd9 100644 --- a/detections/endpoint/linux_auditd_doas_conf_file_creation.yml +++ b/detections/endpoint/linux_auditd_doas_conf_file_creation.yml @@ -23,6 +23,13 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$type$] event occured on host - [$dest$] to create a doas.conf file. + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Linux Privilege Escalation diff --git a/detections/endpoint/linux_auditd_doas_tool_execution.yml b/detections/endpoint/linux_auditd_doas_tool_execution.yml index 3e9f267e64..202bba09f3 100644 --- a/detections/endpoint/linux_auditd_doas_tool_execution.yml +++ b/detections/endpoint/linux_auditd_doas_tool_execution.yml @@ -23,6 +23,14 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A SYSCALL - [$comm$] event was executed on host - [$dest$] to execute the + "doas" tool. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Linux Privilege Escalation diff --git a/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml b/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml index 336e5f94d9..4c16052073 100644 --- a/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml +++ b/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml @@ -22,6 +22,14 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A SYSCALL - [$comm$] event was executed on host - [$dest$] to edit the + cron table. + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Scheduled Tasks diff --git a/detections/endpoint/linux_auditd_file_and_directory_discovery.yml b/detections/endpoint/linux_auditd_file_and_directory_discovery.yml index e41ce58104..f117d9113f 100644 --- a/detections/endpoint/linux_auditd_file_and_directory_discovery.yml +++ b/detections/endpoint/linux_auditd_file_and_directory_discovery.yml @@ -23,6 +23,14 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$process_exec$] event occurred on host - [$dest$] to discover files + and directories. + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Linux Living Off The Land @@ -36,10 +44,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - argc - - process_exec security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_file_permissions_modification_via_chattr.yml b/detections/endpoint/linux_auditd_file_permissions_modification_via_chattr.yml index ef108ec994..84bb8beef4 100644 --- a/detections/endpoint/linux_auditd_file_permissions_modification_via_chattr.yml +++ b/detections/endpoint/linux_auditd_file_permissions_modification_via_chattr.yml @@ -22,6 +22,14 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$process_exec$] event occurred on host - [$dest$] to modify file permissions + using the "chattr" command. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Linux Living Off The Land diff --git a/detections/endpoint/linux_auditd_find_credentials_from_password_managers.yml b/detections/endpoint/linux_auditd_find_credentials_from_password_managers.yml index 7c3d0d5f96..f42a173862 100644 --- a/detections/endpoint/linux_auditd_find_credentials_from_password_managers.yml +++ b/detections/endpoint/linux_auditd_find_credentials_from_password_managers.yml @@ -23,6 +23,14 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$process_exec$] event occurred on host - [$dest$] to find credentials + stored in password managers. + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Linux Living Off The Land diff --git a/detections/endpoint/linux_auditd_find_credentials_from_password_stores.yml b/detections/endpoint/linux_auditd_find_credentials_from_password_stores.yml index 52eaee55b9..6332592a94 100644 --- a/detections/endpoint/linux_auditd_find_credentials_from_password_stores.yml +++ b/detections/endpoint/linux_auditd_find_credentials_from_password_stores.yml @@ -23,6 +23,14 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$process_exec$] event occurred on host - [$dest$] to find credentials + stored in password managers. + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Linux Living Off The Land diff --git a/detections/endpoint/linux_auditd_find_ssh_private_keys.yml b/detections/endpoint/linux_auditd_find_ssh_private_keys.yml index 02d503e9d5..8788828cc2 100644 --- a/detections/endpoint/linux_auditd_find_ssh_private_keys.yml +++ b/detections/endpoint/linux_auditd_find_ssh_private_keys.yml @@ -23,6 +23,14 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$process_exec$] event occurred on host - [$dest$] to find SSH private + keys. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Linux Living Off The Land diff --git a/detections/endpoint/linux_auditd_hardware_addition_swapoff.yml b/detections/endpoint/linux_auditd_hardware_addition_swapoff.yml index 9753bdfd30..11a767918e 100644 --- a/detections/endpoint/linux_auditd_hardware_addition_swapoff.yml +++ b/detections/endpoint/linux_auditd_hardware_addition_swapoff.yml @@ -22,6 +22,14 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$process_exec$] event occurred on host - [$dest$] to disable the swapping + of paging devices on a Linux system. + risk_objects: + - field: dest + type: system + score: 36 + threat_objects: [] tags: analytic_story: - Data Destruction @@ -41,4 +49,3 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1200/linux_auditd_swapoff/linux_auditd_swapoff.log source: /var/log/audit/audit.log sourcetype: linux:audit - update_timestamp: true diff --git a/detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml b/detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml index b5db900508..f888933bba 100644 --- a/detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml +++ b/detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml @@ -23,6 +23,13 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$process_exec$] event occurred on host - [$dest$]. + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Linux Living Off The Land diff --git a/detections/endpoint/linux_auditd_install_kernel_module_using_modprobe_utility.yml b/detections/endpoint/linux_auditd_install_kernel_module_using_modprobe_utility.yml index 7be24b3b66..29a1db8488 100644 --- a/detections/endpoint/linux_auditd_install_kernel_module_using_modprobe_utility.yml +++ b/detections/endpoint/linux_auditd_install_kernel_module_using_modprobe_utility.yml @@ -24,6 +24,14 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A SYSCALL - [$comm$] event was executed on host - [$dest$] to install a + Linux kernel module using the modprobe utility. + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Linux Privilege Escalation diff --git a/detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml b/detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml index 390e98bc6a..c242b8d08f 100644 --- a/detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml +++ b/detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml @@ -22,6 +22,14 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A SYSCALL - [$comm$] event was executed on host - [$dest$] to remove a + Linux kernel module using the rmmod utility. + risk_objects: + - field: dest + type: system + score: 72 + threat_objects: [] tags: analytic_story: - Linux Living Off The Land diff --git a/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml b/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml index a07f3a6dd9..3720c29aba 100644 --- a/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml +++ b/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml @@ -23,6 +23,14 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$process_exec$] event occurred on host - [$dest$] to add NOPASSWD entry + in sudoers file. + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Linux Privilege Escalation diff --git a/detections/endpoint/linux_auditd_osquery_service_stop.yml b/detections/endpoint/linux_auditd_osquery_service_stop.yml index 28ef4f1cb1..3bdf4cc7ec 100644 --- a/detections/endpoint/linux_auditd_osquery_service_stop.yml +++ b/detections/endpoint/linux_auditd_osquery_service_stop.yml @@ -22,6 +22,14 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A service event - [$type$] event occured on host - [$dest$] to stop the + osquery service. + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Linux Living Off The Land diff --git a/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml b/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml index 783e1ce760..70e240b1dc 100644 --- a/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml +++ b/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml @@ -23,6 +23,14 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$type$] has been accessed/modified on host - [$dest$] to modify the + sshd_config file. + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Linux Living Off The Land diff --git a/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml b/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml index 404c3c008d..d1b5f03bb9 100644 --- a/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml +++ b/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml @@ -23,6 +23,14 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$process_exec$] event occurred on host - [$dest$] to access or dump + the contents of /etc/passwd and /etc/shadow files. + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Linux Privilege Escalation diff --git a/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml b/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml index 4e41d4d034..b7ae713fdb 100644 --- a/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml +++ b/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml @@ -23,6 +23,14 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$type$] has been accessed/modified on host - [$dest$] to access or modify + the sudoers file. + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Linux Privilege Escalation diff --git a/detections/endpoint/linux_auditd_preload_hijack_library_calls.yml b/detections/endpoint/linux_auditd_preload_hijack_library_calls.yml index 6eef14886f..905d2fd1db 100644 --- a/detections/endpoint/linux_auditd_preload_hijack_library_calls.yml +++ b/detections/endpoint/linux_auditd_preload_hijack_library_calls.yml @@ -22,6 +22,14 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$process_exec$] event occurred on host - [$dest$] to hijack or hook + library functions using the LD_PRELOAD environment variable. + risk_objects: + - field: dest + type: system + score: 81 + threat_objects: [] tags: analytic_story: - Linux Privilege Escalation diff --git a/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml b/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml index 47930b7dbc..d44e083fbb 100644 --- a/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml +++ b/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml @@ -22,6 +22,13 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$type$] event has occured on host - [$dest$] to modify the preload file. + risk_objects: + - field: dest + type: system + score: 81 + threat_objects: [] tags: analytic_story: - Linux Living Off The Land diff --git a/detections/endpoint/linux_auditd_private_keys_and_certificate_enumeration.yml b/detections/endpoint/linux_auditd_private_keys_and_certificate_enumeration.yml index 208899c9ed..0e5f984f6a 100644 --- a/detections/endpoint/linux_auditd_private_keys_and_certificate_enumeration.yml +++ b/detections/endpoint/linux_auditd_private_keys_and_certificate_enumeration.yml @@ -23,6 +23,13 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$process_exec$] event occurred on host - [$dest$] to find private keys. + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Linux Living Off The Land diff --git a/detections/endpoint/linux_auditd_service_restarted.yml b/detections/endpoint/linux_auditd_service_restarted.yml index 5cf26907bf..e70eac26b5 100644 --- a/detections/endpoint/linux_auditd_service_restarted.yml +++ b/detections/endpoint/linux_auditd_service_restarted.yml @@ -22,6 +22,14 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$process_exec$] event occurred on host - [$dest$] to restart or re-enable + a service. + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - AwfulShred diff --git a/detections/endpoint/linux_auditd_service_started.yml b/detections/endpoint/linux_auditd_service_started.yml index 1eb2f52950..aeb9364bc8 100644 --- a/detections/endpoint/linux_auditd_service_started.yml +++ b/detections/endpoint/linux_auditd_service_started.yml @@ -22,6 +22,14 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$process_exec$] event occurred on host - [$dest$] to start or enable + a service. + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Linux Living Off The Land diff --git a/detections/endpoint/linux_auditd_setuid_using_chmod_utility.yml b/detections/endpoint/linux_auditd_setuid_using_chmod_utility.yml index 0a5901105b..d958d0309d 100644 --- a/detections/endpoint/linux_auditd_setuid_using_chmod_utility.yml +++ b/detections/endpoint/linux_auditd_setuid_using_chmod_utility.yml @@ -22,6 +22,14 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$process_exec$] event occurred on host - [$dest$] to set the SUID or + SGID bit on files using the chmod utility. + risk_objects: + - field: dest + type: system + score: 81 + threat_objects: [] tags: analytic_story: - Linux Living Off The Land diff --git a/detections/endpoint/linux_auditd_setuid_using_setcap_utility.yml b/detections/endpoint/linux_auditd_setuid_using_setcap_utility.yml index 9a77024d34..df8cc3f4ae 100644 --- a/detections/endpoint/linux_auditd_setuid_using_setcap_utility.yml +++ b/detections/endpoint/linux_auditd_setuid_using_setcap_utility.yml @@ -22,6 +22,14 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$process_exec$] event occurred on host - [$dest$] to set the SUID or + SGID bit on files using the setcap utility. + risk_objects: + - field: dest + type: system + score: 81 + threat_objects: [] tags: analytic_story: - Linux Privilege Escalation diff --git a/detections/endpoint/linux_auditd_shred_overwrite_command.yml b/detections/endpoint/linux_auditd_shred_overwrite_command.yml index 6b4c425301..bcd4d675a9 100644 --- a/detections/endpoint/linux_auditd_shred_overwrite_command.yml +++ b/detections/endpoint/linux_auditd_shred_overwrite_command.yml @@ -23,6 +23,14 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$process_exec$] event occurred on host - [$dest$] to overwrite files + using the shred utility. + risk_objects: + - field: dest + type: system + score: 81 + threat_objects: [] tags: analytic_story: - AwfulShred diff --git a/detections/endpoint/linux_auditd_stop_services.yml b/detections/endpoint/linux_auditd_stop_services.yml index 23004f47e1..7de4ac2caa 100644 --- a/detections/endpoint/linux_auditd_stop_services.yml +++ b/detections/endpoint/linux_auditd_stop_services.yml @@ -23,6 +23,14 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A service event - [$type$] event occured on host - [$dest$] to stop or + disable a service. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Industroyer2 diff --git a/detections/endpoint/linux_auditd_sudo_or_su_execution.yml b/detections/endpoint/linux_auditd_sudo_or_su_execution.yml index a334c0aabd..b53ed7ef6c 100644 --- a/detections/endpoint/linux_auditd_sudo_or_su_execution.yml +++ b/detections/endpoint/linux_auditd_sudo_or_su_execution.yml @@ -22,6 +22,14 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$process_exec$] event occurred on host - [$dest$] to execute the sudo + or su command. + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Linux Privilege Escalation diff --git a/detections/endpoint/linux_auditd_sysmon_service_stop.yml b/detections/endpoint/linux_auditd_sysmon_service_stop.yml index 42823d3bc6..2cb80778a0 100644 --- a/detections/endpoint/linux_auditd_sysmon_service_stop.yml +++ b/detections/endpoint/linux_auditd_sysmon_service_stop.yml @@ -22,6 +22,14 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A service event - [$type$] event occured on host - [$dest$] to stop or + disable the sysmon service. + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Linux Living Off The Land diff --git a/detections/endpoint/linux_auditd_system_network_configuration_discovery.yml b/detections/endpoint/linux_auditd_system_network_configuration_discovery.yml index 23ed547ae0..8691c24bfe 100644 --- a/detections/endpoint/linux_auditd_system_network_configuration_discovery.yml +++ b/detections/endpoint/linux_auditd_system_network_configuration_discovery.yml @@ -22,6 +22,14 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A SYSCALL - [$comm$] event was executed on host - [$dest$] to discover + system network configuration. + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Linux Living Off The Land diff --git a/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml b/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml index 67d17b2f04..9b4c91ba32 100644 --- a/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml +++ b/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml @@ -23,6 +23,14 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$type$] event occured on host - [$dest$] to modify the unix shell configuration + file. + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Linux Living Off The Land diff --git a/detections/endpoint/linux_auditd_unload_module_via_modprobe.yml b/detections/endpoint/linux_auditd_unload_module_via_modprobe.yml index e2fea0b311..d3f5d76e2e 100644 --- a/detections/endpoint/linux_auditd_unload_module_via_modprobe.yml +++ b/detections/endpoint/linux_auditd_unload_module_via_modprobe.yml @@ -22,6 +22,14 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$process_exec$] event occurred on host - [$dest$] to unload a kernel + module via the modprobe command. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Linux Living Off The Land diff --git a/detections/endpoint/linux_auditd_virtual_disk_file_and_directory_discovery.yml b/detections/endpoint/linux_auditd_virtual_disk_file_and_directory_discovery.yml index e3f63c6ec4..59da2a56d4 100644 --- a/detections/endpoint/linux_auditd_virtual_disk_file_and_directory_discovery.yml +++ b/detections/endpoint/linux_auditd_virtual_disk_file_and_directory_discovery.yml @@ -23,6 +23,14 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A [$process_exec$] event occurred on host - [$dest$] to discover virtual + disk files and directories. + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Linux Living Off The Land diff --git a/detections/endpoint/linux_auditd_whoami_user_discovery.yml b/detections/endpoint/linux_auditd_whoami_user_discovery.yml index a016a2f848..b940269f1e 100644 --- a/detections/endpoint/linux_auditd_whoami_user_discovery.yml +++ b/detections/endpoint/linux_auditd_whoami_user_discovery.yml @@ -23,6 +23,14 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A SYSCALL - [$comm$] event was executed on host - [$dest$] to discover + virtual disk files and directories. + risk_objects: + - field: dest + type: system + score: 25 + threat_objects: [] tags: analytic_story: - Linux Living Off The Land diff --git a/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml b/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml index 2492906b66..41471fc7c0 100644 --- a/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml +++ b/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml @@ -24,6 +24,13 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: PowerShell local execution policy bypass attempt on $dest$ + risk_objects: + - field: dest + type: system + score: 42 + threat_objects: [] tags: analytic_story: - DHS Report TA18-074A diff --git a/detections/endpoint/microsoft_defender_atp_alerts.yml b/detections/endpoint/microsoft_defender_atp_alerts.yml index ff2bb3142d..e18398545b 100644 --- a/detections/endpoint/microsoft_defender_atp_alerts.yml +++ b/detections/endpoint/microsoft_defender_atp_alerts.yml @@ -31,6 +31,26 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: $severity$ alert for $src$ - $signature$ + risk_objects: + - field: src + type: system + score: 81 + - field: user + type: user + score: 81 + threat_objects: + - field: file_name + type: file_name + - field: process + type: process_name + - field: ip_address + type: ip_address + - field: registry_key + type: registry_path + - field: url + type: url tags: analytic_story: - Critical Alerts diff --git a/detections/endpoint/microsoft_defender_incident_alerts.yml b/detections/endpoint/microsoft_defender_incident_alerts.yml index a25edb92d9..2133ecae98 100644 --- a/detections/endpoint/microsoft_defender_incident_alerts.yml +++ b/detections/endpoint/microsoft_defender_incident_alerts.yml @@ -37,6 +37,26 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$","$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: $severity$ alert for $dest$ - $signature$ + risk_objects: + - field: dest + type: system + score: 81 + - field: user + type: user + score: 81 + threat_objects: + - field: file_name + type: file_name + - field: process + type: process_name + - field: ip_address + type: ip_address + - field: registry_key + type: registry_path + - field: url + type: url tags: analytic_story: - Critical Alerts diff --git a/detections/endpoint/potential_system_network_configuration_discovery_activity.yml b/detections/endpoint/potential_system_network_configuration_discovery_activity.yml index 6cd7997756..1d0ac6798c 100644 --- a/detections/endpoint/potential_system_network_configuration_discovery_activity.yml +++ b/detections/endpoint/potential_system_network_configuration_discovery_activity.yml @@ -23,6 +23,22 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning multiple $process_name$ was + identified on endpoint $dest$ by user $user$ typically not a normal behavior of + the process. + risk_objects: + - field: user + type: user + score: 32 + - field: dest + type: system + score: 32 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Unusual Processes diff --git a/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml b/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml index b6d6b21dc1..98ce1c7612 100644 --- a/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml +++ b/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml @@ -26,6 +26,18 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$", "$UserID$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A suspicious powershell script contains reflective class assembly command + in $ScriptBlockText$ to load .net code in memory with EventCode $EventCode$ in + host $Computer$ + risk_objects: + - field: Computer + type: system + score: 56 + - field: user + type: user + score: 56 + threat_objects: [] tags: analytic_story: - Winter Vivern diff --git a/detections/endpoint/print_spooler_failed_to_load_a_plug_in.yml b/detections/endpoint/print_spooler_failed_to_load_a_plug_in.yml index 598dfc25f6..13f823f51e 100644 --- a/detections/endpoint/print_spooler_failed_to_load_a_plug_in.yml +++ b/detections/endpoint/print_spooler_failed_to_load_a_plug_in.yml @@ -25,6 +25,14 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$ComputerName$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious printer spooler errors have occured on endpoint $ComputerName$ + with EventCode $EventCode$. + risk_objects: + - field: ComputerName + type: system + score: 72 + threat_objects: [] tags: analytic_story: - PrintNightmare CVE-2021-34527 diff --git a/detections/endpoint/shim_database_installation_with_suspicious_parameters.yml b/detections/endpoint/shim_database_installation_with_suspicious_parameters.yml index 9a524277f3..9e30f471ff 100644 --- a/detections/endpoint/shim_database_installation_with_suspicious_parameters.yml +++ b/detections/endpoint/shim_database_installation_with_suspicious_parameters.yml @@ -35,6 +35,17 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A process $process_name$ that possibly creates a shim db silently in host + $dest$ + risk_objects: + - field: dest + type: system + score: 63 + - field: user + type: user + score: 63 + threat_objects: [] tags: analytic_story: - Windows Persistence Techniques diff --git a/detections/endpoint/windows_attempt_to_stop_security_service.yml b/detections/endpoint/windows_attempt_to_stop_security_service.yml index 36347b3b34..fa9264062b 100644 --- a/detections/endpoint/windows_attempt_to_stop_security_service.yml +++ b/detections/endpoint/windows_attempt_to_stop_security_service.yml @@ -25,6 +25,21 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + attempting to disable security services on endpoint $dest$ by user $user$. + risk_objects: + - field: user + type: user + score: 20 + - field: dest + type: system + score: 20 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - WhisperGate diff --git a/detections/endpoint/windows_bitlockertogo_process_execution.yml b/detections/endpoint/windows_bitlockertogo_process_execution.yml index a6607a72a8..61c3ece759 100644 --- a/detections/endpoint/windows_bitlockertogo_process_execution.yml +++ b/detections/endpoint/windows_bitlockertogo_process_execution.yml @@ -42,6 +42,15 @@ tags: asset_type: Endpoint mitre_attack_id: - T1218 + observable: + - name: dest + type: Endpoint + role: + - Victim + - name: user + type: User + role: + - Victim product: - Splunk Enterprise - Splunk Enterprise Security diff --git a/detections/endpoint/windows_bitlockertogo_with_network_activity.yml b/detections/endpoint/windows_bitlockertogo_with_network_activity.yml index 9be44cb329..697b12d58d 100644 --- a/detections/endpoint/windows_bitlockertogo_with_network_activity.yml +++ b/detections/endpoint/windows_bitlockertogo_with_network_activity.yml @@ -38,6 +38,11 @@ tags: asset_type: Endpoint mitre_attack_id: - T1218 + observable: + - name: dest + type: Endpoint + role: + - Victim product: - Splunk Enterprise - Splunk Enterprise Security diff --git a/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml b/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml index bfea210231..1201456848 100644 --- a/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml +++ b/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml @@ -26,6 +26,21 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A non-standard parent process $parent_process_name$ spawned child process + $process_name$ to execute command-line tool on $dest$. + risk_objects: + - field: dest + type: system + score: 56 + - field: user + type: user + score: 56 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Volt Typhoon diff --git a/detections/endpoint/windows_create_local_administrator_account_via_net.yml b/detections/endpoint/windows_create_local_administrator_account_via_net.yml index 90f25d28e9..033b7f012f 100644 --- a/detections/endpoint/windows_create_local_administrator_account_via_net.yml +++ b/detections/endpoint/windows_create_local_administrator_account_via_net.yml @@ -23,6 +23,22 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to add a user to the local Administrators + group. + risk_objects: + - field: user + type: user + score: 30 + - field: dest + type: system + score: 30 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - DHS Report TA18-074A diff --git a/detections/endpoint/windows_domain_admin_impersonation_indicator.yml b/detections/endpoint/windows_domain_admin_impersonation_indicator.yml index 1bee496a19..806aa64509 100644 --- a/detections/endpoint/windows_domain_admin_impersonation_indicator.yml +++ b/detections/endpoint/windows_domain_admin_impersonation_indicator.yml @@ -58,6 +58,14 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: $TargetUserName$ may be impersonating a Domain Administrator through a + forged Kerberos ticket. + risk_objects: + - field: TargetUserName + type: user + score: 80 + threat_objects: [] tags: analytic_story: - Active Directory Kerberos Attacks diff --git a/detections/endpoint/windows_esx_admins_group_creation_via_net.yml b/detections/endpoint/windows_esx_admins_group_creation_via_net.yml index b404ba054e..0fecbadc81 100644 --- a/detections/endpoint/windows_esx_admins_group_creation_via_net.yml +++ b/detections/endpoint/windows_esx_admins_group_creation_via_net.yml @@ -26,6 +26,17 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An attempt to create an "ESX Admins" group was detected on $dest$ by user + $user$. + risk_objects: + - field: user + type: user + score: 56 + - field: dest + type: system + score: 56 + threat_objects: [] tags: analytic_story: - VMware ESXi AD Integration Authentication Bypass CVE-2024-37085 @@ -37,7 +48,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 56 security_domain: endpoint cve: - CVE-2024-37085 diff --git a/detections/endpoint/windows_excessive_service_stop_attempt.yml b/detections/endpoint/windows_excessive_service_stop_attempt.yml index de83371e43..650ee8c56d 100644 --- a/detections/endpoint/windows_excessive_service_stop_attempt.yml +++ b/detections/endpoint/windows_excessive_service_stop_attempt.yml @@ -24,6 +24,16 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An excessive amount of $process_name$ was executed on $dest$ attempting + to disable services. + risk_objects: + - field: dest + type: system + score: 80 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - XMRig diff --git a/detections/endpoint/windows_excessive_usage_of_net_app.yml b/detections/endpoint/windows_excessive_usage_of_net_app.yml index 6c507c45d5..303b508b62 100644 --- a/detections/endpoint/windows_excessive_usage_of_net_app.yml +++ b/detections/endpoint/windows_excessive_usage_of_net_app.yml @@ -24,6 +24,19 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Excessive usage of net1.exe or net.exe within 1m, with command line $process$ + has been detected on $dest$ by $user$ + risk_objects: + - field: user + type: user + score: 28 + - field: dest + type: system + score: 28 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Prestige Ransomware diff --git a/detections/endpoint/windows_http_network_communication_from_msiexec.yml b/detections/endpoint/windows_http_network_communication_from_msiexec.yml index 75bf669de1..7b11c61c3d 100644 --- a/detections/endpoint/windows_http_network_communication_from_msiexec.yml +++ b/detections/endpoint/windows_http_network_communication_from_msiexec.yml @@ -23,6 +23,21 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $process_name$ was identified on endpoint $dest$ contacting + a remote destination $dest_ip$ + risk_objects: + - field: user + type: user + score: 35 + - field: dest + type: system + score: 35 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Windows System Binary Proxy Execution MSIExec diff --git a/detections/endpoint/windows_list_env_variables_via_set_command_from_uncommon_parent.yml b/detections/endpoint/windows_list_env_variables_via_set_command_from_uncommon_parent.yml index f83e86cb4c..7751b99c58 100644 --- a/detections/endpoint/windows_list_env_variables_via_set_command_from_uncommon_parent.yml +++ b/detections/endpoint/windows_list_env_variables_via_set_command_from_uncommon_parent.yml @@ -24,6 +24,14 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: non-shell parent process has a child process $process_name$ with a commandline + $process$ to fetch env variables on $dest$ + risk_objects: + - field: dest + type: system + score: 56 + threat_objects: [] tags: analytic_story: - Qakbot diff --git a/detections/endpoint/windows_network_share_interaction_via_net.yml b/detections/endpoint/windows_network_share_interaction_via_net.yml index 8fb2277403..47a8dd8772 100644 --- a/detections/endpoint/windows_network_share_interaction_via_net.yml +++ b/detections/endpoint/windows_network_share_interaction_via_net.yml @@ -24,6 +24,17 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user$ leveraged net.exe on $dest$ to interact with network shares, + executed by parent process $parent_process$ + risk_objects: + - field: dest + type: system + score: 20 + - field: user + type: user + score: 20 + threat_objects: [] tags: analytic_story: - Active Directory Discovery diff --git a/detections/endpoint/windows_office_product_dropped_cab_or_inf_file.yml b/detections/endpoint/windows_office_product_dropped_cab_or_inf_file.yml index af6dcfcbad..b365b97975 100644 --- a/detections/endpoint/windows_office_product_dropped_cab_or_inf_file.yml +++ b/detections/endpoint/windows_office_product_dropped_cab_or_inf_file.yml @@ -35,6 +35,16 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $process_name$ was identified on $dest$ writing an inf or + cab file to this. This is not typical of $process_name$. + risk_objects: + - field: dest + type: system + score: 80 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Spearphishing Attachments diff --git a/detections/endpoint/windows_office_product_dropped_uncommon_file.yml b/detections/endpoint/windows_office_product_dropped_uncommon_file.yml index bddfbc1e24..3db3fc6cf0 100644 --- a/detections/endpoint/windows_office_product_dropped_uncommon_file.yml +++ b/detections/endpoint/windows_office_product_dropped_uncommon_file.yml @@ -30,6 +30,15 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: process $process_name$ drops a file $file_name$ in host $dest$ + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - CVE-2023-21716 Word RTF Heap Corruption diff --git a/detections/endpoint/windows_office_product_loaded_mshtml_module.yml b/detections/endpoint/windows_office_product_loaded_mshtml_module.yml index 531428723b..fa747992b2 100644 --- a/detections/endpoint/windows_office_product_loaded_mshtml_module.yml +++ b/detections/endpoint/windows_office_product_loaded_mshtml_module.yml @@ -25,6 +25,16 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $process_name$ was identified on endpoint $dest$ loading + mshtml.dll. + risk_objects: + - field: dest + type: system + score: 80 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Spearphishing Attachments diff --git a/detections/endpoint/windows_office_product_loading_taskschd_dll.yml b/detections/endpoint/windows_office_product_loading_taskschd_dll.yml index 9dfd532495..4e37e4291b 100644 --- a/detections/endpoint/windows_office_product_loading_taskschd_dll.yml +++ b/detections/endpoint/windows_office_product_loading_taskschd_dll.yml @@ -24,6 +24,14 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An Office document was identified creating a scheduled task on $dest$. + Investigate further. + risk_objects: + - field: dest + type: system + score: 49 + threat_objects: [] tags: analytic_story: - Spearphishing Attachments diff --git a/detections/endpoint/windows_office_product_loading_vbe7_dll.yml b/detections/endpoint/windows_office_product_loading_vbe7_dll.yml index 585cca431d..35b2ea4bd6 100644 --- a/detections/endpoint/windows_office_product_loading_vbe7_dll.yml +++ b/detections/endpoint/windows_office_product_loading_vbe7_dll.yml @@ -27,6 +27,13 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Office document executing a macro on $dest$ + risk_objects: + - field: dest + type: system + score: 35 + threat_objects: [] tags: analytic_story: - Spearphishing Attachments diff --git a/detections/endpoint/windows_office_product_spawned_child_process_for_download.yml b/detections/endpoint/windows_office_product_spawned_child_process_for_download.yml index 1d46e41096..0a06c8cf3f 100644 --- a/detections/endpoint/windows_office_product_spawned_child_process_for_download.yml +++ b/detections/endpoint/windows_office_product_spawned_child_process_for_download.yml @@ -25,6 +25,13 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Office document spawning suspicious child process on $dest$ + risk_objects: + - field: dest + type: system + score: 35 + threat_objects: [] tags: analytic_story: - Spearphishing Attachments diff --git a/detections/endpoint/windows_office_product_spawned_control.yml b/detections/endpoint/windows_office_product_spawned_control.yml index 0878b4d611..1cf0c90c7e 100644 --- a/detections/endpoint/windows_office_product_spawned_control.yml +++ b/detections/endpoint/windows_office_product_spawned_control.yml @@ -50,6 +50,18 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ clicking a suspicious attachment. + risk_objects: + - field: dest + type: system + score: 80 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Spearphishing Attachments diff --git a/detections/endpoint/windows_office_product_spawned_msdt.yml b/detections/endpoint/windows_office_product_spawned_msdt.yml index 51adb635a8..3739e7513e 100644 --- a/detections/endpoint/windows_office_product_spawned_msdt.yml +++ b/detections/endpoint/windows_office_product_spawned_msdt.yml @@ -50,6 +50,21 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Office process $parent_process_name$ has spawned a child process $process_name$ + on host $dest$. + risk_objects: + - field: user + type: user + score: 100 + - field: dest + type: system + score: 100 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Spearphishing Attachments diff --git a/detections/endpoint/windows_office_product_spawned_rundll32_with_no_dll.yml b/detections/endpoint/windows_office_product_spawned_rundll32_with_no_dll.yml index 0a3ad75c8d..6950ce0432 100644 --- a/detections/endpoint/windows_office_product_spawned_rundll32_with_no_dll.yml +++ b/detections/endpoint/windows_office_product_spawned_rundll32_with_no_dll.yml @@ -47,6 +47,17 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Office process $parent_process_name$ observed executing a suspicious child + process $process_name$ with process id $process_id$ and no dll commandline $process$ + on host $dest$ + risk_objects: + - field: dest + type: system + score: 63 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Spearphishing Attachments diff --git a/detections/endpoint/windows_office_product_spawned_uncommon_process.yml b/detections/endpoint/windows_office_product_spawned_uncommon_process.yml index 6894764e34..07bf669910 100644 --- a/detections/endpoint/windows_office_product_spawned_uncommon_process.yml +++ b/detections/endpoint/windows_office_product_spawned_uncommon_process.yml @@ -43,6 +43,18 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: User $user$ on $dest$ spawned Windows Script Host from Winword.exe + risk_objects: + - field: dest + type: system + score: 70 + - field: user + type: user + score: 70 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - AgentTesla diff --git a/detections/endpoint/windows_sensitive_group_discovery_with_net.yml b/detections/endpoint/windows_sensitive_group_discovery_with_net.yml index 5bafee9f07..128c59a6e9 100644 --- a/detections/endpoint/windows_sensitive_group_discovery_with_net.yml +++ b/detections/endpoint/windows_sensitive_group_discovery_with_net.yml @@ -28,6 +28,13 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Elevated domain group discovery enumeration on $dest$ by $user$ + risk_objects: + - field: dest + type: system + score: 21 + threat_objects: [] tags: analytic_story: - Active Directory Discovery diff --git a/detections/endpoint/windows_sensitive_registry_hive_dump_via_commandline.yml b/detections/endpoint/windows_sensitive_registry_hive_dump_via_commandline.yml index 83995aa775..77cda7a286 100644 --- a/detections/endpoint/windows_sensitive_registry_hive_dump_via_commandline.yml +++ b/detections/endpoint/windows_sensitive_registry_hive_dump_via_commandline.yml @@ -26,6 +26,19 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: Suspicious use of `reg.exe` exporting Windows Registry hives containing + credentials executed on $dest$ by user $user$, with a parent process of $parent_process_id$ + risk_objects: + - field: user + type: user + score: 56 + - field: dest + type: system + score: 56 + threat_objects: + - field: parent_process_name + type: parent_process_name tags: analytic_story: - CISA AA22-257A diff --git a/detections/endpoint/windows_service_creation.yml b/detections/endpoint/windows_service_creation.yml index b668074316..1df59c5f1f 100644 --- a/detections/endpoint/windows_service_creation.yml +++ b/detections/endpoint/windows_service_creation.yml @@ -31,6 +31,14 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A Windows Service was created on a endpoint from $dest$ using a registry + entry + risk_objects: + - field: dest + type: system + score: 64 + threat_objects: [] tags: analytic_story: - Active Directory Lateral Movement diff --git a/macros/process_office_products.yml b/macros/process_office_products.yml index 1f3155d735..7462194e06 100644 --- a/macros/process_office_products.yml +++ b/macros/process_office_products.yml @@ -1,3 +1,3 @@ definition: (Processes.process_name IN ("EQNEDT32.exe", "excel.exe", "Graph.exe", "msaccess.exe", "mspub.exe", "onenote.exe", "onenoteim.exe", "onenotem.exe", "outlook.exe", "powerpnt.exe", "visio.exe", "winproj.exe", "winword.exe", "wordpad.exe", "wordview.exe") OR Processes.original_file_name IN ("EQNEDT32.EXE", "Excel.exe", "Graph.exe", "MSACCESS.EXE", "MSPUB.EXE", "OneNote.exe", "OneNoteIm.exe", "OneNoteM.exe", "OUTLOOK.EXE", "POWERPNT.EXE", "VISIO.EXE", "WinProj.exe", "WinWord.exe")) description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/ -name: process_office_products \ No newline at end of file +name: process_office_products From b1bf4c6310cbc3ad3f3cac76428baa4dee0c14ed Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Wed, 22 Jan 2025 20:51:36 +0100 Subject: [PATCH 28/37] more fixes --- .../remote_system_discovery_with_net.yml | 18 --------- .../winword_spawning_powershell.yml | 40 ++++++------------- ...cronjob_entry_on_existing_cronjob_file.yml | 4 +- ...ding_dotnet_into_memory_via_reflection.yml | 8 ++-- ...indows_bitlockertogo_process_execution.yml | 9 ----- ...ws_bitlockertogo_with_network_activity.yml | 5 --- .../windows_office_product_spawned_msdt.yml | 13 ------ 7 files changed, 19 insertions(+), 78 deletions(-) diff --git a/detections/deprecated/remote_system_discovery_with_net.yml b/detections/deprecated/remote_system_discovery_with_net.yml index a9570ff02a..b62a9e9f25 100644 --- a/detections/deprecated/remote_system_discovery_with_net.yml +++ b/detections/deprecated/remote_system_discovery_with_net.yml @@ -26,28 +26,10 @@ tags: message: Remote system discovery enumeration on $dest$ by $user$ mitre_attack_id: - T1018 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 15 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/deprecated/winword_spawning_powershell.yml b/detections/deprecated/winword_spawning_powershell.yml index 91d719d427..15811b2308 100644 --- a/detections/deprecated/winword_spawning_powershell.yml +++ b/detections/deprecated/winword_spawning_powershell.yml @@ -54,6 +54,19 @@ drilldown_searches: by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: '$parent_process_name$ on $dest$ by $user$ launched the following powershell + process: $process_name$ which is very common in spearphishing attacks' + risk_objects: + - field: dest + type: system + score: 70 + - field: user + type: user + score: 70 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Spearphishing Attachments @@ -68,37 +81,10 @@ tags: mitre_attack_id: - T1566 - T1566.001 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim - - name: process_name - type: Process - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id - risk_score: 70 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file.yml b/detections/endpoint/linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file.yml index 9f4c9fb5a8..b404a42ce6 100644 --- a/detections/endpoint/linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file.yml +++ b/detections/endpoint/linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file.yml @@ -1,7 +1,7 @@ name: Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File id: fea71cf0-fa10-4ef6-9202-9682b2e0c477 -version: '3' -date: '2024-12-17' +version: 4 +date: '2025-01-20' author: Teoderick Contreras, Splunk status: production type: Hunting diff --git a/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml b/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml index 98ce1c7612..a98579a280 100644 --- a/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml +++ b/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml @@ -18,12 +18,12 @@ references: - https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf - https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/ drilldown_searches: -- name: View the detection results for - "$Computer$" and "$UserID$" - search: '%original_detection_search% | search Computer = "$Computer$" UserID = "$UserID$"' +- name: View the detection results for - "$Computer$" and "$user$" + search: '%original_detection_search% | search Computer = "$Computer$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$Computer$" and "$UserID$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$", "$UserID$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$Computer$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: diff --git a/detections/endpoint/windows_bitlockertogo_process_execution.yml b/detections/endpoint/windows_bitlockertogo_process_execution.yml index 61c3ece759..a6607a72a8 100644 --- a/detections/endpoint/windows_bitlockertogo_process_execution.yml +++ b/detections/endpoint/windows_bitlockertogo_process_execution.yml @@ -42,15 +42,6 @@ tags: asset_type: Endpoint mitre_attack_id: - T1218 - observable: - - name: dest - type: Endpoint - role: - - Victim - - name: user - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security diff --git a/detections/endpoint/windows_bitlockertogo_with_network_activity.yml b/detections/endpoint/windows_bitlockertogo_with_network_activity.yml index 697b12d58d..9be44cb329 100644 --- a/detections/endpoint/windows_bitlockertogo_with_network_activity.yml +++ b/detections/endpoint/windows_bitlockertogo_with_network_activity.yml @@ -38,11 +38,6 @@ tags: asset_type: Endpoint mitre_attack_id: - T1218 - observable: - - name: dest - type: Endpoint - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security diff --git a/detections/endpoint/windows_office_product_spawned_msdt.yml b/detections/endpoint/windows_office_product_spawned_msdt.yml index 3739e7513e..9fedd387e9 100644 --- a/detections/endpoint/windows_office_product_spawned_msdt.yml +++ b/detections/endpoint/windows_office_product_spawned_msdt.yml @@ -80,19 +80,6 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Processes.dest - - Processes.user - - Processes.parent_process_name - - Processes.parent_process - - Processes.original_file_name - - Processes.process_name - - Processes.process - - Processes.process_id - - Processes.parent_process_path - - Processes.process_path - - Processes.parent_process_id security_domain: endpoint tests: - name: True Positive Test From bd1c8364f10cb3f08ed080cc548e6432e47d1136 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Wed, 22 Jan 2025 20:57:29 +0100 Subject: [PATCH 29/37] CI fixes --- .../deprecated/remote_system_discovery_with_net.yml | 3 --- detections/deprecated/winword_spawning_powershell.yml | 4 ---- .../endpoint/linux_auditd_data_destruction_command.yml | 1 - detections/endpoint/linux_auditd_stop_services.yml | 8 -------- .../windows_http_network_communication_from_msiexec.yml | 1 - ...env_variables_via_set_command_from_uncommon_parent.yml | 1 - .../endpoint/windows_office_product_spawned_msdt.yml | 1 - .../windows_office_product_spawned_uncommon_process.yml | 1 - .../windows_registry_entries_exported_via_reg.yml | 1 - .../windows_registry_entries_restored_via_reg.yml | 1 - detections/endpoint/windows_service_stop_attempt.yml | 7 ------- 11 files changed, 29 deletions(-) diff --git a/detections/deprecated/remote_system_discovery_with_net.yml b/detections/deprecated/remote_system_discovery_with_net.yml index b62a9e9f25..2377264b52 100644 --- a/detections/deprecated/remote_system_discovery_with_net.yml +++ b/detections/deprecated/remote_system_discovery_with_net.yml @@ -21,9 +21,6 @@ tags: - Active Directory Discovery - IcedID asset_type: Endpoint - confidence: 50 - impact: 30 - message: Remote system discovery enumeration on $dest$ by $user$ mitre_attack_id: - T1018 product: diff --git a/detections/deprecated/winword_spawning_powershell.yml b/detections/deprecated/winword_spawning_powershell.yml index 15811b2308..b2e102dc75 100644 --- a/detections/deprecated/winword_spawning_powershell.yml +++ b/detections/deprecated/winword_spawning_powershell.yml @@ -74,10 +74,6 @@ tags: - CVE-2023-21716 Word RTF Heap Corruption - DarkCrystal RAT asset_type: Endpoint - confidence: 100 - impact: 70 - message: '$parent_process_name$ on $dest$ by $user$ launched the following powershell - process: $process_name$ which is very common in spearphishing attacks' mitre_attack_id: - T1566 - T1566.001 diff --git a/detections/endpoint/linux_auditd_data_destruction_command.yml b/detections/endpoint/linux_auditd_data_destruction_command.yml index 0d435a8f23..94d554eb0a 100644 --- a/detections/endpoint/linux_auditd_data_destruction_command.yml +++ b/detections/endpoint/linux_auditd_data_destruction_command.yml @@ -49,4 +49,3 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/linux_auditd_no_preserve_root/linux_auditd_no_preserve_root.log source: /var/log/audit/audit.log sourcetype: linux:audit - update_timestamp: true diff --git a/detections/endpoint/linux_auditd_stop_services.yml b/detections/endpoint/linux_auditd_stop_services.yml index 7de4ac2caa..23004f47e1 100644 --- a/detections/endpoint/linux_auditd_stop_services.yml +++ b/detections/endpoint/linux_auditd_stop_services.yml @@ -23,14 +23,6 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -rba: - message: A service event - [$type$] event occured on host - [$dest$] to stop or - disable a service. - risk_objects: - - field: dest - type: system - score: 49 - threat_objects: [] tags: analytic_story: - Industroyer2 diff --git a/detections/endpoint/windows_http_network_communication_from_msiexec.yml b/detections/endpoint/windows_http_network_communication_from_msiexec.yml index 7b11c61c3d..94d5502310 100644 --- a/detections/endpoint/windows_http_network_communication_from_msiexec.yml +++ b/detections/endpoint/windows_http_network_communication_from_msiexec.yml @@ -55,4 +55,3 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_list_env_variables_via_set_command_from_uncommon_parent.yml b/detections/endpoint/windows_list_env_variables_via_set_command_from_uncommon_parent.yml index 7751b99c58..4be4f5ad84 100644 --- a/detections/endpoint/windows_list_env_variables_via_set_command_from_uncommon_parent.yml +++ b/detections/endpoint/windows_list_env_variables_via_set_command_from_uncommon_parent.yml @@ -49,4 +49,3 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot_wermgr/sysmon_wermgr.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_office_product_spawned_msdt.yml b/detections/endpoint/windows_office_product_spawned_msdt.yml index 9fedd387e9..42115bf883 100644 --- a/detections/endpoint/windows_office_product_spawned_msdt.yml +++ b/detections/endpoint/windows_office_product_spawned_msdt.yml @@ -87,4 +87,3 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/macro/msdt.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_office_product_spawned_uncommon_process.yml b/detections/endpoint/windows_office_product_spawned_uncommon_process.yml index 07bf669910..5dc516ea3d 100644 --- a/detections/endpoint/windows_office_product_spawned_uncommon_process.yml +++ b/detections/endpoint/windows_office_product_spawned_uncommon_process.yml @@ -102,7 +102,6 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.002/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true - name: True Positive Test - TrickBot attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/spear_phish/windows-sysmon.log diff --git a/detections/endpoint/windows_registry_entries_exported_via_reg.yml b/detections/endpoint/windows_registry_entries_exported_via_reg.yml index 594d20607e..70e5fc6a36 100644 --- a/detections/endpoint/windows_registry_entries_exported_via_reg.yml +++ b/detections/endpoint/windows_registry_entries_exported_via_reg.yml @@ -36,4 +36,3 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_registry_entries_restored_via_reg.yml b/detections/endpoint/windows_registry_entries_restored_via_reg.yml index 39e55f7395..0406b4c476 100644 --- a/detections/endpoint/windows_registry_entries_restored_via_reg.yml +++ b/detections/endpoint/windows_registry_entries_restored_via_reg.yml @@ -35,4 +35,3 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - update_timestamp: true diff --git a/detections/endpoint/windows_service_stop_attempt.yml b/detections/endpoint/windows_service_stop_attempt.yml index fa66d32958..c203b0a66e 100644 --- a/detections/endpoint/windows_service_stop_attempt.yml +++ b/detections/endpoint/windows_service_stop_attempt.yml @@ -29,13 +29,6 @@ drilldown_searches: | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -rba: - message: $process$ was executed on $dest$ attempting to stop service. - risk_objects: - - field: dest - type: system - score: 49 - threat_objects: [] tags: analytic_story: - Prestige Ransomware From 96f48874fd6dbe9f7f1c9db432384986d25f3ad7 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Thu, 23 Jan 2025 15:17:46 +0100 Subject: [PATCH 30/37] additional rollback updates --- .../domain_account_discovery_with_net_app.yml | 2 +- .../linux_auditd_add_user_account.yml | 41 +++++++++--- .../linux_auditd_add_user_account_type.yml | 39 ++++++++--- .../linux_auditd_at_application_execution.yml | 42 +++++++++--- .../linux_auditd_auditd_service_stop.yml | 40 +++++++++--- .../linux_auditd_base64_decode_files.yml | 64 +++++++++++++------ ...transfer_size_limits_via_split_syscall.yml | 41 +++++++++--- .../linux_auditd_dd_file_overwrite.yml | 41 +++++++++--- ...ditd_disable_or_modify_system_firewall.yml | 40 +++++++++--- .../linux_auditd_doas_conf_file_creation.yml | 40 +++++++++--- .../linux_auditd_doas_tool_execution.yml | 40 +++++++++--- ...linux_auditd_edit_cron_table_parameter.yml | 41 +++++++++--- ...ditd_kernel_module_using_rmmod_utility.yml | 41 +++++++++--- ..._auditd_nopasswd_entry_in_sudoers_file.yml | 41 +++++++++--- .../linux_auditd_osquery_service_stop.yml | 41 +++++++++--- ...ss_or_modification_of_sshd_config_file.yml | 41 +++++++++--- ...td_possible_access_to_credential_files.yml | 43 ++++++++++--- ...auditd_possible_access_to_sudoers_file.yml | 39 +++++++++-- ...cronjob_entry_on_existing_cronjob_file.yml | 3 +- ...auditd_preload_hijack_via_preload_file.yml | 39 +++++++++-- ...ivate_keys_and_certificate_enumeration.yml | 62 ++++++++++++------ .../linux_auditd_service_restarted.yml | 40 ++++++++++-- .../endpoint/linux_auditd_service_started.yml | 40 ++++++++++-- ...inux_auditd_setuid_using_chmod_utility.yml | 40 ++++++++++-- .../linux_auditd_shred_overwrite_command.yml | 40 ++++++++++-- .../linux_auditd_sysmon_service_stop.yml | 38 +++++++++-- ...system_network_configuration_discovery.yml | 42 ++++++++++-- ..._unix_shell_configuration_modification.yml | 44 +++++++++++-- .../linux_auditd_whoami_user_discovery.yml | 39 +++++++++-- ...print_spooler_failed_to_load_a_plug_in.yml | 30 +++++++-- ...service_creation_using_registry_entry.yml} | 35 ++++++---- 31 files changed, 963 insertions(+), 246 deletions(-) rename detections/endpoint/{windows_service_creation.yml => windows_service_creation_using_registry_entry.yml} (55%) diff --git a/detections/deprecated/domain_account_discovery_with_net_app.yml b/detections/deprecated/domain_account_discovery_with_net_app.yml index 18d6cf1f8a..7299b21596 100644 --- a/detections/deprecated/domain_account_discovery_with_net_app.yml +++ b/detections/deprecated/domain_account_discovery_with_net_app.yml @@ -5,7 +5,7 @@ date: '2025-01-13' author: Teoderick Contreras, Mauricio Velazco, Splunk status: deprecated type: TTP -description: This following analytic has been deprecated in favour of the generic version "". The following analytic detects the execution of `net.exe` or `net1.exe` with command-line arguments used to query domain users. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it may indicate an attempt by adversaries to enumerate domain users for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could allow attackers to map out user accounts, potentially leading to further exploitation or lateral movement within the network. +description: This following analytic has been deprecated in favour of the generic version "5d0d4830-0133-11ec-bae3-acde48001122". The following analytic detects the execution of `net.exe` or `net1.exe` with command-line arguments used to query domain users. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it may indicate an attempt by adversaries to enumerate domain users for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could allow attackers to map out user accounts, potentially leading to further exploitation or lateral movement within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 diff --git a/detections/endpoint/linux_auditd_add_user_account.yml b/detections/endpoint/linux_auditd_add_user_account.yml index deb04b7e4d..5de241fc97 100644 --- a/detections/endpoint/linux_auditd_add_user_account.yml +++ b/detections/endpoint/linux_auditd_add_user_account.yml @@ -1,16 +1,35 @@ name: Linux Auditd Add User Account id: aae66dc0-74b4-4807-b480-b35f8027abb4 version: 3 -date: '2025-01-20' +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the creation of new user accounts on Linux systems using commands like "useradd" or "adduser." It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as adversaries often create new user accounts to establish persistence on compromised hosts. If confirmed malicious, this could allow attackers to maintain access, escalate privileges, and further compromise the system, posing a severe security risk. +description: The following analytic detects the creation of new user accounts on Linux + systems using commands like "useradd" or "adduser." It leverages data from Endpoint + Detection and Response (EDR) agents, focusing on process names and command-line + executions. This activity is significant as adversaries often create new user accounts + to establish persistence on compromised hosts. If confirmed malicious, this could + allow attackers to maintain access, escalate privileges, and further compromise + the system, posing a severe security risk. data_source: - Linux Auditd Proctitle -search: '`linux_auditd` `linux_auditd_normalized_proctitle_process`| rename host as dest | where LIKE (process_exec, "%useradd%") OR LIKE (process_exec, "%adduser%") | stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_add_user_account_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. +search: '`linux_auditd` `linux_auditd_normalized_proctitle_process`| rename host as + dest | where LIKE (process_exec, "%useradd%") OR LIKE (process_exec, "%adduser%") + | stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle + dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| + `linux_auditd_add_user_account_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can execute this command. + Please update the filter macros to remove false positives. references: - https://linuxize.com/post/how-to-create-users-in-linux-using-the-useradd-command/ drilldown_searches: @@ -19,7 +38,12 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: @@ -46,6 +70,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/linux_auditd_add_user/linux_auditd_add_user.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/linux_auditd_add_user/linux_auditd_add_user.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: linux:audit \ No newline at end of file diff --git a/detections/endpoint/linux_auditd_add_user_account_type.yml b/detections/endpoint/linux_auditd_add_user_account_type.yml index 179bf9a925..ae4cde478a 100644 --- a/detections/endpoint/linux_auditd_add_user_account_type.yml +++ b/detections/endpoint/linux_auditd_add_user_account_type.yml @@ -1,16 +1,33 @@ name: Linux Auditd Add User Account Type id: f8c325ea-506e-4105-8ccf-da1492e90115 version: 4 -date: '2025-01-20' +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the suspicious add user account type. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents. +description: The following analytic detects the suspicious add user account type. + This behavior is critical for a SOC to monitor because it may indicate attempts + to gain unauthorized access or maintain control over a system. Such actions could + be signs of malicious activity. If confirmed, this could lead to serious consequences, + including a compromised system, unauthorized access to sensitive data, or even a + wider breach affecting the entire network. Detecting and responding to these signs + early is essential to prevent potential security incidents. data_source: - Linux Auditd Add User -search: '`linux_auditd` type=ADD_USER | rename hostname as dest| stats count min(_time) as firstTime max(_time) as lastTime by exe pid dest res UID type | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_add_user_account_type_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. +search: '`linux_auditd` type=ADD_USER | rename hostname as dest| stats count min(_time) + as firstTime max(_time) as lastTime by exe pid dest res UID type | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`| `linux_auditd_add_user_account_type_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html drilldown_searches: @@ -19,7 +36,12 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: @@ -47,6 +69,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/linux_auditd_add_user_type/linux_auditd_add_user_type.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/linux_auditd_add_user_type/linux_auditd_add_user_type.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: linux:audit \ No newline at end of file diff --git a/detections/endpoint/linux_auditd_at_application_execution.yml b/detections/endpoint/linux_auditd_at_application_execution.yml index ce87100fe8..84a3cd77c9 100644 --- a/detections/endpoint/linux_auditd_at_application_execution.yml +++ b/detections/endpoint/linux_auditd_at_application_execution.yml @@ -1,16 +1,36 @@ name: Linux Auditd At Application Execution id: 9f306e0a-1c36-469e-8892-968ca12470dd version: 3 -date: '2025-01-20' +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the execution of the "At" application in Linux, which can be used by attackers to create persistence entries on a compromised host. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and parent process names associated with "at" or "atd". This activity is significant because the "At" application can be exploited to maintain unauthorized access or deliver additional malicious payloads. If confirmed malicious, this behavior could lead to data theft, ransomware attacks, or other severe consequences. Immediate investigation is required to determine the legitimacy of the execution and mitigate potential risks. +description: The following analytic detects the execution of the "At" application + in Linux, which can be used by attackers to create persistence entries on a compromised + host. This detection leverages data from Endpoint Detection and Response (EDR) agents, + focusing on process names and parent process names associated with "at" or "atd". + This activity is significant because the "At" application can be exploited to maintain + unauthorized access or deliver additional malicious payloads. If confirmed malicious, + this behavior could lead to data theft, ransomware attacks, or other severe consequences. + Immediate investigation is required to determine the legitimacy of the execution + and mitigate potential risks. data_source: - Linux Auditd Syscall -search: '`linux_auditd` type=SYSCALL comm IN ("at", "atd") OR exe IN ("/usr/bin/at","/usr/bin/atd") AND NOT (UID IN("daemon")) | rename host as dest | stats count min(_time) as firstTime max(_time) as lastTime by comm exe SYSCALL UID ppid pid dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_at_application_execution_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. +search: '`linux_auditd` type=SYSCALL comm IN ("at", "atd") OR exe IN ("/usr/bin/at","/usr/bin/atd") + AND NOT (UID IN("daemon")) | rename host as dest | stats count min(_time) as firstTime + max(_time) as lastTime by comm exe SYSCALL UID ppid pid dest | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`| `linux_auditd_at_application_execution_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. references: - https://attack.mitre.org/techniques/T1053/001/ - https://www.linkedin.com/pulse/getting-attacker-ip-address-from-malicious-linux-job-craig-rowland/ @@ -20,7 +40,12 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: @@ -50,6 +75,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/linux_auditd_at/linux_auditd_at_execution.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/linux_auditd_at/linux_auditd_at_execution.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: linux:audit \ No newline at end of file diff --git a/detections/endpoint/linux_auditd_auditd_service_stop.yml b/detections/endpoint/linux_auditd_auditd_service_stop.yml index dddc777142..301ca8ce13 100644 --- a/detections/endpoint/linux_auditd_auditd_service_stop.yml +++ b/detections/endpoint/linux_auditd_auditd_service_stop.yml @@ -1,16 +1,34 @@ name: Linux Auditd Auditd Service Stop id: 6cb9d0e1-eabe-41de-a11a-5efade354e9d version: 3 -date: '2025-01-20' +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the suspicious auditd service stop. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents. +description: The following analytic detects the suspicious auditd service stop. This + behavior is critical for a SOC to monitor because it may indicate attempts to gain + unauthorized access or maintain control over a system. Such actions could be signs + of malicious activity. If confirmed, this could lead to serious consequences, including + a compromised system, unauthorized access to sensitive data, or even a wider breach + affecting the entire network. Detecting and responding to these signs early is essential + to prevent potential security incidents. data_source: - Linux Auditd Service Stop -search: '`linux_auditd` type=SERVICE_STOP unit IN ("auditd") | rename host as dest | stats count min(_time) as firstTime max(_time) as lastTime by type pid UID comm exe unit dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_auditd_service_stop_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. +search: '`linux_auditd` type=SERVICE_STOP unit IN ("auditd") | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime by type pid UID comm + exe unit dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `linux_auditd_auditd_service_stop_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html drilldown_searches: @@ -19,7 +37,12 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: @@ -46,6 +69,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_auditd_auditd_service_stop/linux_auditd_auditd_service_stop.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_auditd_auditd_service_stop/linux_auditd_auditd_service_stop.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: linux:audit \ No newline at end of file diff --git a/detections/endpoint/linux_auditd_base64_decode_files.yml b/detections/endpoint/linux_auditd_base64_decode_files.yml index 4c97560dad..796827f658 100644 --- a/detections/endpoint/linux_auditd_base64_decode_files.yml +++ b/detections/endpoint/linux_auditd_base64_decode_files.yml @@ -1,35 +1,59 @@ -name: Linux Auditd Base64 Decode Files -id: 5890ba10-4e48-4dc0-8a40-3e1ebe75e737 -version: 3 -date: '2025-01-15' +name: Linux Auditd Change File Owner To Root +id: 7b87c556-0ca4-47e0-b84c-6cd62a0a3e90 +version: 4 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production -type: Anomaly -description: The following analytic detects suspicious Base64 decode operations that may indicate malicious activity, such as data exfiltration or execution of encoded commands. Base64 is commonly used to encode data for safe transmission, but attackers may abuse it to conceal malicious payloads. This detection focuses on identifying unusual or unexpected Base64 decoding processes, particularly when associated with critical files or directories. By monitoring these activities, the analytic helps uncover potential threats, enabling security teams to respond promptly and mitigate risks associated with encoded malware or unauthorized data access. +type: TTP +description: The following analytic detects the use of the 'chown' command to change + a file owner to 'root' on a Linux system. It leverages Linux Auditd telemetry, specifically + monitoring command-line executions and process details. This activity is significant + as it may indicate an attempt to escalate privileges by adversaries, malware, or + red teamers. If confirmed malicious, this action could allow an attacker to gain + root-level access, leading to full control over the compromised host and potential + persistence within the environment. data_source: -- Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | rename comm as process_name | rename exe as process | where LIKE(process_exec, "%base64%") AND (LIKE(process_exec, "%-d %") OR LIKE(process_exec, "% --d%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_base64_decode_files_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. +- Linux Auditd Proctitle +search: '`linux_auditd` `linux_auditd_normalized_proctitle_process`| rename host as + dest | where LIKE (process_exec, "%chown %root%") | stats count min(_time) as firstTime + max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter + dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `linux_auditd_change_file_owner_to_root_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can execute this command. + Please update the filter macros to remove false positives. references: -- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html -- https://gtfobins.github.io/gtfobins/dd/ +- https://unix.stackexchange.com/questions/101073/how-to-change-permissions-from-root-user-to-all-users +- https://askubuntu.com/questions/617850/changing-from-user-to-superuser drilldown_searches: - name: View the detection results for - "$dest$" search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A [$process_exec$] event occurred on host - [$dest$] to decode a file using - base64. + message: A [$process_exec$] event occurred on host - [$dest$] to change a file owner + to root. risk_objects: - field: dest type: system - score: 25 + score: 64 threat_objects: [] tags: analytic_story: @@ -39,7 +63,8 @@ tags: - Compromised Linux Host asset_type: Endpoint mitre_attack_id: - - T1140 + - T1222.002 + - T1222 product: - Splunk Enterprise - Splunk Enterprise Security @@ -48,6 +73,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1140/linux_auditd_base64/linux_auditd_base64.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/linux_auditd_chown_root/linux_auditd_chown_root.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: linux:audit \ No newline at end of file diff --git a/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml index 798a41de8e..f78ea55eae 100644 --- a/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml +++ b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml @@ -1,16 +1,35 @@ name: Linux Auditd Data Transfer Size Limits Via Split Syscall id: c03d4a49-cf9d-435b-86e9-c6f8c9b6c42e version: 3 -date: '2025-01-20' +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects suspicious data transfer activities that involve the use of the `split` syscall, potentially indicating an attempt to evade detection by breaking large files into smaller parts. Attackers may use this technique to bypass size-based security controls, facilitating the covert exfiltration of sensitive data. By monitoring for unusual or unauthorized use of the `split` syscall, this analytic helps identify potential data exfiltration attempts, allowing security teams to intervene and prevent the unauthorized transfer of critical information from the network. +description: The following analytic detects suspicious data transfer activities that + involve the use of the `split` syscall, potentially indicating an attempt to evade + detection by breaking large files into smaller parts. Attackers may use this technique + to bypass size-based security controls, facilitating the covert exfiltration of + sensitive data. By monitoring for unusual or unauthorized use of the `split` syscall, + this analytic helps identify potential data exfiltration attempts, allowing security + teams to intervene and prevent the unauthorized transfer of critical information + from the network. data_source: - Linux Auditd Syscall -search: '`linux_auditd` type=SYSCALL comm=split OR exe= "*/split" | rename host as dest | stats count min(_time) as firstTime max(_time) as lastTime by comm exe SYSCALL UID ppid pid success dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_data_transfer_size_limits_via_split_syscall_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. +search: '`linux_auditd` type=SYSCALL comm=split OR exe= "*/split" | rename host as + dest | stats count min(_time) as firstTime max(_time) as lastTime by comm exe SYSCALL + UID ppid pid success dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `linux_auditd_data_transfer_size_limits_via_split_syscall_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html drilldown_searches: @@ -19,7 +38,12 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: @@ -47,6 +71,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1030/linux_auditd_split_syscall/linux_auditd_split_syscall.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1030/linux_auditd_split_syscall/linux_auditd_split_syscall.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: linux:audit \ No newline at end of file diff --git a/detections/endpoint/linux_auditd_dd_file_overwrite.yml b/detections/endpoint/linux_auditd_dd_file_overwrite.yml index 6c9556388c..9d205070c0 100644 --- a/detections/endpoint/linux_auditd_dd_file_overwrite.yml +++ b/detections/endpoint/linux_auditd_dd_file_overwrite.yml @@ -1,16 +1,35 @@ name: Linux Auditd Dd File Overwrite id: d1b74420-4cea-4752-a123-9b40dfcca49a version: 3 -date: '2025-01-20' +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the use of the 'dd' command to overwrite files on a Linux system. It leverages data from Linux Auditd telemetry, focusing on process execution logs that include command-line details. This activity is significant because adversaries often use the 'dd' command to destroy or irreversibly overwrite files, disrupting system availability and services. If confirmed malicious, this behavior could lead to data destruction, making recovery difficult and potentially causing significant operational disruptions. +description: The following analytic detects the use of the 'dd' command to overwrite + files on a Linux system. It leverages data from Linux Auditd telemetry, focusing + on process execution logs that include command-line details. This activity is significant + because adversaries often use the 'dd' command to destroy or irreversibly overwrite + files, disrupting system availability and services. If confirmed malicious, this + behavior could lead to data destruction, making recovery difficult and potentially + causing significant operational disruptions. data_source: - Linux Auditd Proctitle -search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host as dest | where LIKE(process_exec, "%dd %") AND LIKE(process_exec, "% of=%") | stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_dd_file_overwrite_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. +search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host + as dest | where LIKE(process_exec, "%dd %") AND LIKE(process_exec, "% of=%") | stats + count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter + dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| + `linux_auditd_dd_file_overwrite_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can execute this command. + Please update the filter macros to remove false positives. references: - https://gtfobins.github.io/gtfobins/dd/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md @@ -20,7 +39,12 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: @@ -46,6 +70,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/linux_auditd_dd_overwrite/linux_auditd_dd_overwrite.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/linux_auditd_dd_overwrite/linux_auditd_dd_overwrite.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: linux:audit \ No newline at end of file diff --git a/detections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml b/detections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml index f1a1585c55..fe40910ff2 100644 --- a/detections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml +++ b/detections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml @@ -1,16 +1,34 @@ name: Linux Auditd Disable Or Modify System Firewall id: 07052556-d4b5-4bae-89aa-cbdc1bb11250 version: 3 -date: '2025-01-20' +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the suspicious disable or modify system firewall. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents. +description: The following analytic detects the suspicious disable or modify system + firewall. This behavior is critical for a SOC to monitor because it may indicate + attempts to gain unauthorized access or maintain control over a system. Such actions + could be signs of malicious activity. If confirmed, this could lead to serious consequences, + including a compromised system, unauthorized access to sensitive data, or even a + wider breach affecting the entire network. Detecting and responding to these signs + early is essential to prevent potential security incidents. data_source: - Linux Auditd Service Stop -search: '`linux_auditd` type=SERVICE_STOP unit IN ("firewalld", "ufw") | rename host as dest | stats count min(_time) as firstTime max(_time) as lastTime by type pid UID comm exe unit dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_disable_or_modify_system_firewall_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. +search: '`linux_auditd` type=SERVICE_STOP unit IN ("firewalld", "ufw") | rename host + as dest | stats count min(_time) as firstTime max(_time) as lastTime by type pid + UID comm exe unit dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| + `linux_auditd_disable_or_modify_system_firewall_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html drilldown_searches: @@ -19,7 +37,12 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: @@ -48,6 +71,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.004/linux_auditd_disable_firewall/linux_auditd_disable_firewall.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.004/linux_auditd_disable_firewall/linux_auditd_disable_firewall.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: linux:audit \ No newline at end of file diff --git a/detections/endpoint/linux_auditd_doas_conf_file_creation.yml b/detections/endpoint/linux_auditd_doas_conf_file_creation.yml index 55c71d3dd9..b5d39b01ed 100644 --- a/detections/endpoint/linux_auditd_doas_conf_file_creation.yml +++ b/detections/endpoint/linux_auditd_doas_conf_file_creation.yml @@ -1,16 +1,34 @@ name: Linux Auditd Doas Conf File Creation id: 61059783-574b-40d2-ac2f-69b898afd6b4 version: 3 -date: '2025-01-20' +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the creation of the doas.conf file on a Linux host. This file is used by the doas utility to allow standard users to perform tasks as root, similar to sudo. The detection leverages Linux Auditd data, focusing on the creation of the doas.conf file. This activity is significant because it can indicate an attempt to gain elevated privileges, potentially by an adversary. If confirmed malicious, this could allow an attacker to execute commands with root commands with root privileges, leading to full system compromise. +description: The following analytic detects the creation of the doas.conf file on + a Linux host. This file is used by the doas utility to allow standard users to perform + tasks as root, similar to sudo. The detection leverages Linux Auditd data, focusing + on the creation of the doas.conf file. This activity is significant because it can + indicate an attempt to gain elevated privileges, potentially by an adversary. If + confirmed malicious, this could allow an attacker to execute commands with root + commands with root privileges, leading to full system compromise. data_source: - Linux Auditd Path -search: '`linux_auditd` type=PATH name ="/etc/doas.conf*" | rename host as dest | stats count min(_time) as firstTime max(_time) as lastTime by name nametype OGID type dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_doas_conf_file_creation_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. +search: '`linux_auditd` type=PATH name ="/etc/doas.conf*" | rename host as dest | + stats count min(_time) as firstTime max(_time) as lastTime by name nametype OGID + type dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| + `linux_auditd_doas_conf_file_creation_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can execute this command. + Please update the filter macros to remove false positives. references: - https://wiki.gentoo.org/wiki/Doas - https://www.makeuseof.com/how-to-install-and-use-doas/ @@ -20,7 +38,12 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: @@ -47,6 +70,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_audited_doas_conf/linux_audited_doas_conf.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_audited_doas_conf/linux_audited_doas_conf.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: linux:audit \ No newline at end of file diff --git a/detections/endpoint/linux_auditd_doas_tool_execution.yml b/detections/endpoint/linux_auditd_doas_tool_execution.yml index 202bba09f3..77245c77c3 100644 --- a/detections/endpoint/linux_auditd_doas_tool_execution.yml +++ b/detections/endpoint/linux_auditd_doas_tool_execution.yml @@ -1,16 +1,34 @@ name: Linux Auditd Doas Tool Execution id: 91b8ca78-f205-4826-a3ef-cd8d6b24e97b version: 3 -date: '2025-01-20' +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the execution of the 'doas' tool on a Linux host. This tool allows standard users to perform tasks with root privileges, similar to 'sudo'. The detection leverages data from Linux Auditd, focusing on process names and command-line executions. This activity is significant as 'doas' can be exploited by adversaries to gain elevated privileges on a compromised host. If confirmed malicious, this could lead to unauthorized administrative access, potentially compromising the entire system. +description: The following analytic detects the execution of the 'doas' tool on a + Linux host. This tool allows standard users to perform tasks with root privileges, + similar to 'sudo'. The detection leverages data from Linux Auditd, focusing on process + names and command-line executions. This activity is significant as 'doas' can be + exploited by adversaries to gain elevated privileges on a compromised host. If confirmed + malicious, this could lead to unauthorized administrative access, potentially compromising + the entire system. data_source: - Linux Auditd Syscall -search: '`linux_auditd` type=SYSCALL comm=doas | rename host as dest | stats count min(_time) as firstTime max(_time) as lastTime by comm exe SYSCALL UID ppid pid success dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_doas_tool_execution_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. +search: '`linux_auditd` type=SYSCALL comm=doas | rename host as dest | stats count + min(_time) as firstTime max(_time) as lastTime by comm exe SYSCALL UID ppid pid + success dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `linux_auditd_doas_tool_execution_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can execute this command. + Please update the filter macros to remove false positives. references: - https://wiki.gentoo.org/wiki/Doas - https://www.makeuseof.com/how-to-install-and-use-doas/ @@ -20,7 +38,12 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: @@ -48,6 +71,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_auditd_doas/linux_auditd_doas.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_auditd_doas/linux_auditd_doas.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: linux:audit \ No newline at end of file diff --git a/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml b/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml index 4c16052073..4ad3409e1e 100644 --- a/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml +++ b/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml @@ -1,16 +1,35 @@ name: Linux Auditd Edit Cron Table Parameter id: f4bb7321-7e64-4d1e-b1aa-21f8b019a91f version: 3 -date: '2025-01-20' +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the suspicious editing of cron jobs in Linux using the crontab command-line parameter (-e). It identifies this activity by monitoring command-line executions involving 'crontab' and the edit parameter. This behavior is significant for a SOC as cron job manipulations can indicate unauthorized persistence attempts or scheduled malicious actions. If confirmed malicious, this activity could lead to system compromise, unauthorized access, or broader network compromise. +description: The following analytic detects the suspicious editing of cron jobs in + Linux using the crontab command-line parameter (-e). It identifies this activity + by monitoring command-line executions involving 'crontab' and the edit parameter. + This behavior is significant for a SOC as cron job manipulations can indicate unauthorized + persistence attempts or scheduled malicious actions. If confirmed malicious, this + activity could lead to system compromise, unauthorized access, or broader network + compromise. data_source: - Linux Auditd Syscall -search: '`linux_auditd` type=SYSCALL SYSCALL=rename (comm IN ("crontab") OR exe IN ("*/crontab")) success=yes AND NOT (UID IN("daemon")) | rename host as dest | stats count min(_time) as firstTime max(_time) as lastTime by comm exe SYSCALL UID ppid pid dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_edit_cron_table_parameter_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. +search: '`linux_auditd` type=SYSCALL SYSCALL=rename (comm IN ("crontab") OR exe IN + ("*/crontab")) success=yes AND NOT (UID IN("daemon")) | rename host as dest | stats + count min(_time) as firstTime max(_time) as lastTime by comm exe SYSCALL UID ppid + pid dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `linux_auditd_edit_cron_table_parameter_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. references: - https://attack.mitre.org/techniques/T1053/003/ drilldown_searches: @@ -19,7 +38,12 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: @@ -49,6 +73,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit/linux_auditd_crontab_edit.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit/linux_auditd_crontab_edit.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: linux:audit \ No newline at end of file diff --git a/detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml b/detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml index c242b8d08f..ca781680fa 100644 --- a/detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml +++ b/detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml @@ -1,16 +1,35 @@ name: Linux Auditd Kernel Module Using Rmmod Utility id: 31810b7a-0abe-42be-a210-0dec8106afee version: 3 -date: '2025-01-20' +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects suspicious use of the `rmmod` utility for kernel module removal, which may indicate an attacker attempt to unload critical or security-related kernel modules. The `rmmod` command is used to remove modules from the Linux kernel, and unauthorized use can be a tactic to disable security features, conceal malicious activities, or disrupt system operations. By monitoring for unusual or unauthorized `rmmod` activity, this analytic helps identify potential tampering with kernel modules, enabling security teams to take proactive measures to protect system integrity and security. +description: The following analytic detects suspicious use of the `rmmod` utility + for kernel module removal, which may indicate an attacker attempt to unload critical + or security-related kernel modules. The `rmmod` command is used to remove modules + from the Linux kernel, and unauthorized use can be a tactic to disable security + features, conceal malicious activities, or disrupt system operations. By monitoring + for unusual or unauthorized `rmmod` activity, this analytic helps identify potential + tampering with kernel modules, enabling security teams to take proactive measures + to protect system integrity and security. data_source: - Linux Auditd Syscall -search: '`linux_auditd` type=SYSCALL comm=rmmod | rename host as dest | stats count min(_time) as firstTime max(_time) as lastTime by comm exe SYSCALL UID ppid pid success dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_kernel_module_using_rmmod_utility_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. +search: '`linux_auditd` type=SYSCALL comm=rmmod | rename host as dest | stats count + min(_time) as firstTime max(_time) as lastTime by comm exe SYSCALL UID ppid pid + success dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| + `linux_auditd_kernel_module_using_rmmod_utility_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html drilldown_searches: @@ -19,7 +38,12 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: @@ -48,6 +72,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_rmmod/linux_auditd_rmmod.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_rmmod/linux_auditd_rmmod.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: linux:audit \ No newline at end of file diff --git a/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml b/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml index 3720c29aba..9b21168ed5 100644 --- a/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml +++ b/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml @@ -1,16 +1,35 @@ name: Linux Auditd Nopasswd Entry In Sudoers File id: 651df959-ad17-4b73-a323-90cb96d5fa1b version: 3 -date: '2025-01-20' +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the addition of NOPASSWD entries to the /etc/sudoers file on Linux systems. It leverages Linux Auditd data to identify command lines containing "NOPASSWD:". This activity is significant because it allows users to execute commands with elevated privileges without requiring a password, which can be exploited by adversaries to maintain persistent, privileged access. If confirmed malicious, this could lead to unauthorized privilege escalation, persistent access, and potential compromise of sensitive data and system integrity. +description: The following analytic detects the addition of NOPASSWD entries to the + /etc/sudoers file on Linux systems. It leverages Linux Auditd data to identify command + lines containing "NOPASSWD:". This activity is significant because it allows users + to execute commands with elevated privileges without requiring a password, which + can be exploited by adversaries to maintain persistent, privileged access. If confirmed + malicious, this could lead to unauthorized privilege escalation, persistent access, + and potential compromise of sensitive data and system integrity. data_source: - Linux Auditd Proctitle -search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host as dest | where LIKE (process_exec, "%NOPASSWD%") | stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_nopasswd_entry_in_sudoers_file_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. +search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host + as dest | where LIKE (process_exec, "%NOPASSWD%") | stats count min(_time) as firstTime + max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter + dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| + `linux_auditd_nopasswd_entry_in_sudoers_file_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can execute this command. + Please update the filter macros to remove false positives. references: - https://askubuntu.com/questions/334318/sudoers-file-enable-nopasswd-for-user-all-commands - https://help.ubuntu.com/community/Sudoers @@ -20,7 +39,12 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: @@ -48,6 +72,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_auditd_nopasswd/linux_auditd_nopasswd.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_auditd_nopasswd/linux_auditd_nopasswd.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: linux:audit \ No newline at end of file diff --git a/detections/endpoint/linux_auditd_osquery_service_stop.yml b/detections/endpoint/linux_auditd_osquery_service_stop.yml index 3bdf4cc7ec..7d488b6bc3 100644 --- a/detections/endpoint/linux_auditd_osquery_service_stop.yml +++ b/detections/endpoint/linux_auditd_osquery_service_stop.yml @@ -1,16 +1,35 @@ name: Linux Auditd Osquery Service Stop id: 0c320fea-6e87-4b99-a884-74d09d4b655d version: 3 -date: '2025-01-20' +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects suspicious stopping of the `osquery` service, which may indicate an attempt to disable monitoring and evade detection. `Osquery` is a powerful tool used for querying system information and detecting anomalies, and stopping its service can be a sign that an attacker is trying to disrupt security monitoring or hide malicious activities. By monitoring for unusual or unauthorized stops of the `osquery` service, this analytic helps identify potential efforts to bypass security controls, enabling security teams to investigate and respond to possible threats effectively. +description: The following analytic detects suspicious stopping of the `osquery` service, + which may indicate an attempt to disable monitoring and evade detection. `Osquery` + is a powerful tool used for querying system information and detecting anomalies, + and stopping its service can be a sign that an attacker is trying to disrupt security + monitoring or hide malicious activities. By monitoring for unusual or unauthorized + stops of the `osquery` service, this analytic helps identify potential efforts to + bypass security controls, enabling security teams to investigate and respond to + possible threats effectively. data_source: - Linux Auditd Service Stop -search: '`linux_auditd` type=SERVICE_STOP unit IN ("osqueryd") | rename host as dest | stats count min(_time) as firstTime max(_time) as lastTime by type pid UID comm exe unit dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_osquery_service_stop_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. +search: '`linux_auditd` type=SERVICE_STOP unit IN ("osqueryd") | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime by type pid UID comm + exe unit dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `linux_auditd_osquery_service_stop_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html drilldown_searches: @@ -19,7 +38,12 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: @@ -47,6 +71,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_auditd_osquerd_service_stop/linux_auditd_osquerd_service_stop.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_auditd_osquerd_service_stop/linux_auditd_osquerd_service_stop.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: linux:audit \ No newline at end of file diff --git a/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml b/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml index 70e240b1dc..68d0ffc22c 100644 --- a/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml +++ b/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml @@ -1,16 +1,35 @@ name: Linux Auditd Possible Access Or Modification Of Sshd Config File id: acb3ea33-70f7-47aa-b335-643b3aebcb2f version: 3 -date: '2025-01-20' +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects suspicious access or modification of the sshd_config file on Linux systems. It leverages data from Linux Auditd, focusing on command-line executions involving processes like "cat," "nano," "vim," and "vi" accessing the sshd_config file. This activity is significant because unauthorized changes to sshd_config can allow threat actors to redirect port connections or use unauthorized keys, potentially compromising the system. If confirmed malicious, this could lead to unauthorized access, privilege escalation, or persistent backdoor access, posing a severe security risk. +description: The following analytic detects suspicious access or modification of the + sshd_config file on Linux systems. It leverages data from Linux Auditd, focusing + on command-line executions involving processes like "cat," "nano," "vim," and "vi" + accessing the sshd_config file. This activity is significant because unauthorized + changes to sshd_config can allow threat actors to redirect port connections or use + unauthorized keys, potentially compromising the system. If confirmed malicious, + this could lead to unauthorized access, privilege escalation, or persistent backdoor + access, posing a severe security risk. data_source: - Linux Auditd Path -search: '`linux_auditd` type=PATH name="/etc/ssh/ssh_config*" | rename host as dest | stats count min(_time) as firstTime max(_time) as lastTime by name nametype OGID type dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_possible_access_or_modification_of_sshd_config_file_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives. +search: '`linux_auditd` type=PATH name="/etc/ssh/ssh_config*" | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime by name nametype OGID + type dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| + `linux_auditd_possible_access_or_modification_of_sshd_config_file_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this commandline + for automation purposes. Please update the filter macros to remove false positives. references: - https://www.hackingarticles.in/ssh-penetration-testing-port-22/ - https://attack.mitre.org/techniques/T1098/004/ @@ -20,7 +39,12 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: @@ -49,6 +73,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.004/linux_auditd_nopasswd/linux_auditd_ssh_config.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.004/linux_auditd_nopasswd/linux_auditd_ssh_config.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: linux:audit \ No newline at end of file diff --git a/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml b/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml index d1b5f03bb9..3a4c356dff 100644 --- a/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml +++ b/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml @@ -1,16 +1,37 @@ name: Linux Auditd Possible Access To Credential Files id: 0419cb7a-57ea-467b-974f-77c303dfe2a3 version: 3 -date: '2025-01-20' +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects attempts to access or dump the contents of /etc/passwd and /etc/shadow files on Linux systems. It leverages data from Linux Auditd, focusing on processes like 'cat', 'nano', 'vim', and 'vi' accessing these files. This activity is significant as it may indicate credential dumping, a technique used by adversaries to gain persistence or escalate privileges. If confirmed malicious, privileges. If confirmed malicious, attackers could obtain hashed passwords for offline cracking, leading to unauthorized access and potential system compromise. +description: The following analytic detects attempts to access or dump the contents + of /etc/passwd and /etc/shadow files on Linux systems. It leverages data from Linux + Auditd, focusing on processes like 'cat', 'nano', 'vim', and 'vi' accessing these + files. This activity is significant as it may indicate credential dumping, a technique + used by adversaries to gain persistence or escalate privileges. If confirmed malicious, + privileges. If confirmed malicious, attackers could obtain hashed passwords for + offline cracking, leading to unauthorized access and potential system compromise. data_source: - Linux Auditd Proctitle -search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host as dest | where (LIKE (process_exec, "%shadow%") OR LIKE (process_exec, "%passwd%")) AND (LIKE (process_exec, "%cat %") OR LIKE (process_exec, "%nano %")OR LIKE (process_exec, "%vim %") OR LIKE (process_exec, "%vi %")) | stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_possible_access_to_credential_files_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. +search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host + as dest | where (LIKE (process_exec, "%shadow%") OR LIKE (process_exec, "%passwd%")) + AND (LIKE (process_exec, "%cat %") OR LIKE (process_exec, "%nano %")OR LIKE (process_exec, + "%vim %") OR LIKE (process_exec, "%vi %")) | stats count min(_time) as firstTime + max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter + dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `linux_auditd_possible_access_to_credential_files_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can execute this command. + Please update the filter macros to remove false positives. references: - https://askubuntu.com/questions/445361/what-is-difference-between-etc-shadow-and-etc-passwd - https://attack.mitre.org/techniques/T1003/008/ @@ -20,7 +41,12 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: @@ -48,6 +74,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.008/linux_auditd_access_credential/linux_auditd_access_credential.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.008/linux_auditd_access_credential/linux_auditd_access_credential.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: linux:audit \ No newline at end of file diff --git a/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml b/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml index b7ae713fdb..e9c03d6886 100644 --- a/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml +++ b/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml @@ -1,16 +1,34 @@ name: Linux Auditd Possible Access To Sudoers File id: 8be88f46-f7e8-4ae6-b15e-cf1b13392834 version: 3 -date: '2025-01-20' +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects potential access or modification of the /etc/sudoers file on a Linux system. It leverages data from Linux Auditd, focusing on processes like "cat," "nano," "vim," and "vi" accessing the /etc/sudoers file. This activity is significant because the sudoers file controls user permissions for executing commands with elevated privileges. If confirmed malicious, an attacker could gain persistence or escalate privileges, compromising the security of the targeted host. +description: The following analytic detects potential access or modification of the + /etc/sudoers file on a Linux system. It leverages data from Linux Auditd, focusing + on processes like "cat," "nano," "vim," and "vi" accessing the /etc/sudoers file. + This activity is significant because the sudoers file controls user permissions + for executing commands with elevated privileges. If confirmed malicious, an attacker + could gain persistence or escalate privileges, compromising the security of the + targeted host. data_source: - Linux Auditd Path -search: '`linux_auditd` type=PATH name="/etc/sudoers*" | rename host as dest | stats count min(_time) as firstTime max(_time) as lastTime by name nametype OGID type dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_possible_access_to_sudoers_file_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: administrator or network operator can execute this command. Please update the filter macros to remove false positives. +search: '`linux_auditd` type=PATH name="/etc/sudoers*" | rename host as dest | stats + count min(_time) as firstTime max(_time) as lastTime by name nametype OGID type + dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| + `linux_auditd_possible_access_to_sudoers_file_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: administrator or network operator can execute this command. + Please update the filter macros to remove false positives. references: - https://attack.mitre.org/techniques/T1548/003/ - https://web.archive.org/web/20210708035426/https://www.cobaltstrike.com/downloads/csmanual43.pdf @@ -20,7 +38,12 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: @@ -48,6 +71,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_auditd_sudoers_access/linux_auditd_sudoers_access.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_auditd_sudoers_access/linux_auditd_sudoers_access.log source: /var/log/audit/audit.log sourcetype: linux:audit + \ No newline at end of file diff --git a/detections/endpoint/linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file.yml b/detections/endpoint/linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file.yml index b404a42ce6..d80e3059c5 100644 --- a/detections/endpoint/linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file.yml +++ b/detections/endpoint/linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file.yml @@ -54,6 +54,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/linux_auditd_cron_file_audited/linux_auditd_cron_file_audited2.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/linux_auditd_cron_file_audited/linux_auditd_cron_file_audited2.log source: /var/log/audit/audit.log sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml b/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml index d44e083fbb..1090b25606 100644 --- a/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml +++ b/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml @@ -1,16 +1,35 @@ name: Linux Auditd Preload Hijack Via Preload File id: c1b7abca-55cb-4a39-bdfb-e28c1c12745f version: 3 -date: '2025-01-20' +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects suspicious preload hijacking via the `preload` file, which may indicate an attacker's attempt to intercept or manipulate library loading processes. The `preload` file can be used to force the loading of specific libraries before others, potentially allowing malicious code to execute or alter application behavior. By monitoring for unusual or unauthorized modifications to the `preload` file, this analytic helps identify attempts to hijack preload mechanisms, enabling security teams to investigate and address potential threats to system integrity and security. +description: The following analytic detects suspicious preload hijacking via the `preload` + file, which may indicate an attacker's attempt to intercept or manipulate library + loading processes. The `preload` file can be used to force the loading of specific + libraries before others, potentially allowing malicious code to execute or alter + application behavior. By monitoring for unusual or unauthorized modifications to + the `preload` file, this analytic helps identify attempts to hijack preload mechanisms, + enabling security teams to investigate and address potential threats to system integrity + and security. data_source: - Linux Auditd Path -search: '`linux_auditd` type=PATH name="/etc/ld.so.preload*" | rename host as dest | stats count min(_time) as firstTime max(_time) as lastTime by name nametype OGID type dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_preload_hijack_via_preload_file_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. +search: '`linux_auditd` type=PATH name="/etc/ld.so.preload*" | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime by name nametype OGID + type dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| + `linux_auditd_preload_hijack_via_preload_file_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html drilldown_searches: @@ -19,7 +38,12 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: @@ -47,6 +71,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.006/linux_auditd_preload_file/linux_auditd_preload_file.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.006/linux_auditd_preload_file/linux_auditd_preload_file.log source: /var/log/audit/audit.log sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_private_keys_and_certificate_enumeration.yml b/detections/endpoint/linux_auditd_private_keys_and_certificate_enumeration.yml index 0e5f984f6a..2ff0bce4f1 100644 --- a/detections/endpoint/linux_auditd_private_keys_and_certificate_enumeration.yml +++ b/detections/endpoint/linux_auditd_private_keys_and_certificate_enumeration.yml @@ -1,30 +1,55 @@ -name: Linux Auditd Private Keys and Certificate Enumeration -id: 80bb9988-190b-4ee0-a3c3-509545a8f678 -version: 4 -date: '2025-01-15' +name: Linux Auditd Install Kernel Module Using Modprobe Utility +id: 95165985-ace5-4d42-9c42-93a89a5af901 +version: 3 +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects suspicious attempts to find private keys, which may indicate an attacker's effort to access sensitive cryptographic information. Private keys are crucial for securing encrypted communications and data, and unauthorized access to them can lead to severe security breaches, including data decryption and identity theft. By monitoring for unusual or unauthorized searches for private keys, this analytic helps identify potential threats to cryptographic security, enabling security teams to take swift action to protect the integrity and confidentiality of encrypted information. +description: The following analytic detects the installation of a Linux kernel module + using the modprobe utility. It leverages data from Linux Auditd, focusing on process + names and command-line executions. This activity is significant because installing + a kernel module can indicate an attempt to deploy a rootkit or other malicious kernel-level + code, potentially leading to elevated privileges and bypassing security detections. + If confirmed malicious, this could allow an attacker to gain persistent, high-level + access to the system, compromising its integrity and security. data_source: -- Linux Auditd Execve -search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | rename comm as process_name | rename exe as process | where (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%.pem%") OR LIKE (process_exec, "%.cer%") OR LIKE (process_exec, "%.crt%") OR LIKE (process_exec, "%.pgp%") OR LIKE (process_exec, "%.key%") OR LIKE (process_exec, "%.gpg%")OR LIKE (process_exec, "%.ppk%") OR LIKE (process_exec, "%.p12%") OR LIKE (process_exec, "%.pfx%")OR LIKE (process_exec, "%.p7b%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_private_keys_and_certificate_enumeration_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. +- Linux Auditd Syscall +search: '`linux_auditd` type=SYSCALL comm=modprobe | rename host as dest | stats count + min(_time) as firstTime max(_time) as lastTime by comm exe SYSCALL UID ppid pid + success dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| + `linux_auditd_install_kernel_module_using_modprobe_utility_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can execute this command. + Please update the filter macros to remove false positives. references: -- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html -- https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS +- https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/kernel-module-driver-configuration/Working_with_Kernel_Modules/ +- https://security.stackexchange.com/questions/175953/how-to-load-a-malicious-lkm-at-startup +- https://0x00sec.org/t/kernel-rootkits-getting-your-hands-dirty/1485 drilldown_searches: - name: View the detection results for - "$dest$" search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A [$process_exec$] event occurred on host - [$dest$] to find private keys. + message: A SYSCALL - [$comm$] event was executed on host - [$dest$] to install a + Linux kernel module using the modprobe utility. risk_objects: - field: dest type: system @@ -32,14 +57,14 @@ rba: threat_objects: [] tags: analytic_story: - - Linux Living Off The Land - Linux Privilege Escalation + - Linux Rootkit - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint mitre_attack_id: - - T1552.004 - - T1552 + - T1547.006 + - T1547 product: - Splunk Enterprise - Splunk Enterprise Security @@ -48,6 +73,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.004/linux_auditd_find_gpg/linux_auditd_find_gpg.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_modprobe/linux_auditd_modprobe.log source: /var/log/audit/audit.log - sourcetype: linux:audit + sourcetype: linux:audit \ No newline at end of file diff --git a/detections/endpoint/linux_auditd_service_restarted.yml b/detections/endpoint/linux_auditd_service_restarted.yml index e70eac26b5..a619b94f79 100644 --- a/detections/endpoint/linux_auditd_service_restarted.yml +++ b/detections/endpoint/linux_auditd_service_restarted.yml @@ -1,16 +1,36 @@ name: Linux Auditd Service Restarted id: 8eb3e858-18d3-44a4-a514-52cfa39f154a version: 3 -date: '2025-01-20' +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the restarting or re-enabling of services on Linux systems using the `systemctl` or `service` commands. It leverages data from Linux Auditd, focusing on process and command-line execution logs. This activity is significant as adversaries may use it to maintain persistence or execute unauthorized actions. If confirmed malicious, this behavior could lead to repeated execution of malicious payloads, unauthorized access, or data destruction. Security analysts should investigate these events to mitigate risks and prevent further compromise. +description: The following analytic detects the restarting or re-enabling of services + on Linux systems using the `systemctl` or `service` commands. It leverages data + from Linux Auditd, focusing on process and command-line execution logs. This activity + is significant as adversaries may use it to maintain persistence or execute unauthorized + actions. If confirmed malicious, this behavior could lead to repeated execution + of malicious payloads, unauthorized access, or data destruction. Security analysts + should investigate these events to mitigate risks and prevent further compromise. data_source: - Linux Auditd Proctitle -search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host as dest | where (LIKE(process_exec, "%systemctl %") OR LIKE(process_exec, "%service %") ) AND(LIKE(process_exec, "%restart%") OR LIKE(process_exec, "%reenable%") OR LIKE(process_exec, "%reload%")) | stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_service_restarted_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives. +search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host + as dest | where (LIKE(process_exec, "%systemctl %") OR LIKE(process_exec, "%service + %") ) AND(LIKE(process_exec, "%restart%") OR LIKE(process_exec, "%reenable%") OR + LIKE(process_exec, "%reload%")) | stats count min(_time) as firstTime max(_time) + as lastTime by process_exec proctitle normalized_proctitle_delimiter dest | `security_content_ctime(firstTime)`| + `security_content_ctime(lastTime)`| `linux_auditd_service_restarted_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this commandline + for automation purposes. Please update the filter macros to remove false positives. references: - https://attack.mitre.org/techniques/T1543/003/ drilldown_searches: @@ -19,7 +39,12 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: @@ -52,6 +77,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.006/linux_services_restart/linux_services_restart.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.006/linux_services_restart/linux_services_restart.log source: /var/log/audit/audit.log sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_service_started.yml b/detections/endpoint/linux_auditd_service_started.yml index aeb9364bc8..2e878c1779 100644 --- a/detections/endpoint/linux_auditd_service_started.yml +++ b/detections/endpoint/linux_auditd_service_started.yml @@ -1,16 +1,36 @@ name: Linux Auditd Service Started id: b5eed06d-5c97-4092-a3a1-fa4b7e77c71a version: 3 -date: '2025-01-20' +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the suspicious service started. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents. +description: The following analytic detects the suspicious service started. This behavior + is critical for a SOC to monitor because it may indicate attempts to gain unauthorized + access or maintain control over a system. Such actions could be signs of malicious + activity. If confirmed, this could lead to serious consequences, including a compromised + system, unauthorized access to sensitive data, or even a wider breach affecting + the entire network. Detecting and responding to these signs early is essential to + prevent potential security incidents. data_source: - Linux Auditd Proctitle -search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host as dest | where (LIKE(process_exec, "%systemctl %") OR LIKE(process_exec, "%service %") ) AND(LIKE(process_exec, "% start %") OR LIKE(process_exec, "% enable %")) | stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_service_started_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. +search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host + as dest | where (LIKE(process_exec, "%systemctl %") OR LIKE(process_exec, "%service + %") ) AND(LIKE(process_exec, "% start %") OR LIKE(process_exec, "% enable %")) | + stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle + normalized_proctitle_delimiter dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `linux_auditd_service_started_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html drilldown_searches: @@ -19,7 +39,12 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: @@ -48,6 +73,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/linux_service_start/linux_service_start.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/linux_service_start/linux_service_start.log source: /var/log/audit/audit.log sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_setuid_using_chmod_utility.yml b/detections/endpoint/linux_auditd_setuid_using_chmod_utility.yml index d958d0309d..7c32e22160 100644 --- a/detections/endpoint/linux_auditd_setuid_using_chmod_utility.yml +++ b/detections/endpoint/linux_auditd_setuid_using_chmod_utility.yml @@ -1,16 +1,36 @@ name: Linux Auditd Setuid Using Chmod Utility id: 8230c407-1b47-4d95-ac2e-718bd6381386 version: 3 -date: '2025-01-20' +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the execution of the chmod utility to set the SUID or SGID bit on files, which can allow users to temporarily gain root or group-level access. This detection leverages data from Linux Auditd, focusing on process names and command-line arguments related to chmod. This activity is significant as it can indicate an attempt to escalate privileges or maintain persistence on a system. If confirmed malicious, an attacker could gain elevated access, potentially compromising sensitive data or critical system functions. +description: The following analytic detects the execution of the chmod utility to + set the SUID or SGID bit on files, which can allow users to temporarily gain root + or group-level access. This detection leverages data from Linux Auditd, focusing + on process names and command-line arguments related to chmod. This activity is significant + as it can indicate an attempt to escalate privileges or maintain persistence on + a system. If confirmed malicious, an attacker could gain elevated access, potentially + compromising sensitive data or critical system functions. data_source: - Linux Auditd Proctitle -search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host as dest | where LIKE (process_exec, "%chmod %") AND (LIKE (process_exec, "% u+s %") OR LIKE (process_exec, "% g+s %") OR LIKE (process_exec, "% 4777 %") OR LIKE (process_exec, "% 4577 %")) | stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_setuid_using_chmod_utility_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. +search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host + as dest | where LIKE (process_exec, "%chmod %") AND (LIKE (process_exec, "% u+s + %") OR LIKE (process_exec, "% g+s %") OR LIKE (process_exec, "% 4777 %") OR LIKE + (process_exec, "% 4577 %")) | stats count min(_time) as firstTime max(_time) as + lastTime by process_exec proctitle normalized_proctitle_delimiter dest | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`| `linux_auditd_setuid_using_chmod_utility_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can execute this command. + Please update the filter macros to remove false positives. references: - https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/ drilldown_searches: @@ -19,7 +39,12 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: @@ -48,6 +73,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.001/linux_auditd_setuid/linux_auditd_setuid.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.001/linux_auditd_setuid/linux_auditd_setuid.log source: /var/log/audit/audit.log sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_shred_overwrite_command.yml b/detections/endpoint/linux_auditd_shred_overwrite_command.yml index bcd4d675a9..6d09005763 100644 --- a/detections/endpoint/linux_auditd_shred_overwrite_command.yml +++ b/detections/endpoint/linux_auditd_shred_overwrite_command.yml @@ -1,16 +1,36 @@ name: Linux Auditd Shred Overwrite Command id: ce2bde4d-a1d4-4452-8c87-98440e5adfb3 version: 3 -date: '2025-01-20' +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the execution of the 'shred' command on a Linux machine, which is used to overwrite files to make them unrecoverable. It leverages data from Linux Auditd, focusing on process names and command-line arguments. This activity is significant because the 'shred' command can be used in destructive attacks, such as those seen in the Industroyer2 malware targeting energy facilities. If confirmed malicious, this activity could lead to the permanent destruction of critical files, severely impacting system integrity and data availability. +description: The following analytic detects the execution of the 'shred' command on + a Linux machine, which is used to overwrite files to make them unrecoverable. It + leverages data from Linux Auditd, focusing on process names and command-line arguments. + This activity is significant because the 'shred' command can be used in destructive + attacks, such as those seen in the Industroyer2 malware targeting energy facilities. + If confirmed malicious, this activity could lead to the permanent destruction of + critical files, severely impacting system integrity and data availability. data_source: - Linux Auditd Proctitle -search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host as dest | where LIKE (process_exec, "%shred%") AND (LIKE (process_exec, "%-n%") OR LIKE (process_exec, "%-z%") OR LIKE (process_exec, "%-u%") OR LIKE (process_exec, "%-s%")) | stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_shred_overwrite_command_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. +search: '`linux_auditd` `linux_auditd_normalized_proctitle_process` | rename host + as dest | where LIKE (process_exec, "%shred%") AND (LIKE (process_exec, "%-n%") + OR LIKE (process_exec, "%-z%") OR LIKE (process_exec, "%-u%") OR LIKE (process_exec, + "%-s%")) | stats count min(_time) as firstTime max(_time) as lastTime by process_exec + proctitle normalized_proctitle_delimiter dest | `security_content_ctime(firstTime)`| + `security_content_ctime(lastTime)`| `linux_auditd_shred_overwrite_command_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. references: - https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ - https://cert.gov.ua/article/39518 @@ -20,7 +40,12 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: @@ -50,6 +75,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/linux_auditd_shred/linux_auditd_shred.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/linux_auditd_shred/linux_auditd_shred.log source: /var/log/audit/audit.log sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_sysmon_service_stop.yml b/detections/endpoint/linux_auditd_sysmon_service_stop.yml index 2cb80778a0..fd87cbaabc 100644 --- a/detections/endpoint/linux_auditd_sysmon_service_stop.yml +++ b/detections/endpoint/linux_auditd_sysmon_service_stop.yml @@ -1,16 +1,34 @@ name: Linux Auditd Sysmon Service Stop id: 20901256-633a-40de-8753-7b88811a460f version: 3 -date: '2025-01-20' +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the suspicious sysmon service stop. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents. +description: The following analytic detects the suspicious sysmon service stop. This + behavior is critical for a SOC to monitor because it may indicate attempts to gain + unauthorized access or maintain control over a system. Such actions could be signs + of malicious activity. If confirmed, this could lead to serious consequences, including + a compromised system, unauthorized access to sensitive data, or even a wider breach + affecting the entire network. Detecting and responding to these signs early is essential + to prevent potential security incidents. data_source: - Linux Auditd Service Stop -search: '`linux_auditd` type=SERVICE_STOP unit IN ("sysmon") | rename host as dest | stats count min(_time) as firstTime max(_time) as lastTime by type pid UID comm exe unit dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_sysmon_service_stop_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. +search: '`linux_auditd` type=SERVICE_STOP unit IN ("sysmon") | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime by type pid UID comm + exe unit dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `linux_auditd_sysmon_service_stop_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html drilldown_searches: @@ -19,7 +37,12 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: @@ -47,6 +70,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_auditd_sysmon_service_stop.log/linux_auditd_sysmon_service_stop.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_auditd_sysmon_service_stop.log/linux_auditd_sysmon_service_stop.log source: /var/log/audit/audit.log sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_system_network_configuration_discovery.yml b/detections/endpoint/linux_auditd_system_network_configuration_discovery.yml index 8691c24bfe..b518e8fa93 100644 --- a/detections/endpoint/linux_auditd_system_network_configuration_discovery.yml +++ b/detections/endpoint/linux_auditd_system_network_configuration_discovery.yml @@ -1,16 +1,38 @@ name: Linux Auditd System Network Configuration Discovery id: 5db16825-81bd-4923-a8d6-d6a13a59832a version: 3 -date: '2025-01-20' +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects suspicious system network configuration discovery activities, which may indicate an adversary's attempt to gather information about the network environment. Such actions typically involve commands or tools used to identify network interfaces, routing tables, and active connections. Detecting these activities is crucial, as they often precede more targeted attacks like lateral movement or data exfiltration. By identifying unusual or unauthorized network discovery efforts, this analytic helps security teams to swiftly detect and respond to potential reconnaissance operations, mitigating the risk of further compromise. +description: The following analytic detects suspicious system network configuration + discovery activities, which may indicate an adversary's attempt to gather information + about the network environment. Such actions typically involve commands or tools + used to identify network interfaces, routing tables, and active connections. Detecting + these activities is crucial, as they often precede more targeted attacks like lateral + movement or data exfiltration. By identifying unusual or unauthorized network discovery + efforts, this analytic helps security teams to swiftly detect and respond to potential + reconnaissance operations, mitigating the risk of further compromise. data_source: - Linux Auditd Syscall -search: '`linux_auditd` type=SYSCALL comm IN ("arp", "ifconfig", "ip", "netstat", "firewall-cmd", "ufw", "iptables", "ss", "route") | bucket _time span=15m | rename host as dest | stats dc(comm) as unique_commands, values(comm) as comm, values(exe) as exe, values(SYSCALL) as SYSCALL, values(UID) as UID, values(ppid) as ppid, values(pid) as pid, count, min(_time) as firstTime, max(_time) as lastTime by success dest | where unique_commands >= 4 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_auditd_system_network_configuration_discovery_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. +search: '`linux_auditd` type=SYSCALL comm IN ("arp", "ifconfig", "ip", "netstat", + "firewall-cmd", "ufw", "iptables", "ss", "route") | bucket _time span=15m | rename + host as dest | stats dc(comm) as unique_commands, values(comm) as comm, values(exe) + as exe, values(SYSCALL) as SYSCALL, values(UID) as UID, values(ppid) as ppid, values(pid) + as pid, count, min(_time) as firstTime, max(_time) as lastTime by success dest | + where unique_commands >= 4 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `linux_auditd_system_network_configuration_discovery_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html drilldown_searches: @@ -19,7 +41,12 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: @@ -47,6 +74,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/linux_auditd_net_tool/linux_auditd_net_tool.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/linux_auditd_net_tool/linux_auditd_net_tool.log source: /var/log/audit/audit.log sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml b/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml index 9b4c91ba32..43a4fbf7f8 100644 --- a/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml +++ b/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml @@ -1,16 +1,40 @@ name: Linux Auditd Unix Shell Configuration Modification id: 66f737c6-3f7f-46ed-8e9b-cc0e5bf01f04 version: 3 -date: '2025-01-20' +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects suspicious modifications to Unix shell configuration files, which may indicate an attempt to alter system behavior or gain unauthorized access. Unix shell configuration files, such as `.bashrc` or `.profile`, control user environment settings and command execution. Unauthorized changes to these files can be used to execute malicious commands, escalate privileges, or hide malicious activities. By monitoring for unusual or unauthorized modifications to shell configuration files, this analytic helps identify potential security threats, allowing security teams to respond quickly and mitigate risks. +description: The following analytic detects suspicious modifications to Unix shell + configuration files, which may indicate an attempt to alter system behavior or gain + unauthorized access. Unix shell configuration files, such as `.bashrc` or `.profile`, + control user environment settings and command execution. Unauthorized changes to + these files can be used to execute malicious commands, escalate privileges, or hide + malicious activities. By monitoring for unusual or unauthorized modifications to + shell configuration files, this analytic helps identify potential security threats, + allowing security teams to respond quickly and mitigate risks. data_source: - Linux Auditd Path -search: '`linux_auditd` type=PATH name IN ("/etc/profile", "/etc/shells", "/etc/profile.d", "/etc/bash.bashrc", "/etc/bashrc", "/etc/zsh/zprofile", "/etc/zsh/zshrc", "/etc/zsh/zlogin", "/etc/zsh/zlogout", "/etc/csh.cshrc", "/etc/csh.login", "/root/.bashrc", "/root/.bash_profile", "root/.profile", "/root/.zshrc", "/root/.zprofile", "/home/*/.bashrc", "/home/*/.zshrc", "/home/*/.bash_profile", "/home/*/.zprofile", "/home/*/.profile", "/home/*/.bash_login", "/home/*/.bash_logout", "/home/*/.zlogin", "/home/*/.zlogout") | rename host as dest | stats count min(_time) as firstTime max(_time) as lastTime by name nametype OGID type dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `linux_auditd_unix_shell_configuration_modification_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. +search: '`linux_auditd` type=PATH name IN ("/etc/profile", "/etc/shells", "/etc/profile.d", + "/etc/bash.bashrc", "/etc/bashrc", "/etc/zsh/zprofile", "/etc/zsh/zshrc", "/etc/zsh/zlogin", + "/etc/zsh/zlogout", "/etc/csh.cshrc", "/etc/csh.login", "/root/.bashrc", "/root/.bash_profile", + "root/.profile", "/root/.zshrc", "/root/.zprofile", "/home/*/.bashrc", "/home/*/.zshrc", + "/home/*/.bash_profile", "/home/*/.zprofile", "/home/*/.profile", "/home/*/.bash_login", + "/home/*/.bash_logout", "/home/*/.zlogin", "/home/*/.zlogout") | rename host as + dest | stats count min(_time) as firstTime max(_time) as lastTime by name nametype + OGID type dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| + `linux_auditd_unix_shell_configuration_modification_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html - https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS @@ -20,7 +44,12 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: @@ -49,6 +78,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.004/linux_auditd_unix_shell_mod_config/linux_auditd_unix_shell_mod_config.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.004/linux_auditd_unix_shell_mod_config/linux_auditd_unix_shell_mod_config.log source: /var/log/audit/audit.log sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_whoami_user_discovery.yml b/detections/endpoint/linux_auditd_whoami_user_discovery.yml index b940269f1e..275d9ac8f4 100644 --- a/detections/endpoint/linux_auditd_whoami_user_discovery.yml +++ b/detections/endpoint/linux_auditd_whoami_user_discovery.yml @@ -1,16 +1,35 @@ name: Linux Auditd Whoami User Discovery id: d1ff2e22-310d-446a-80b3-faedaa7b3b52 version: 3 -date: '2025-01-20' +date: '2024-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the suspicious use of the whoami command, which may indicate an attacker trying to gather information about the current user account on a compromised system. The whoami command is commonly used to verify user privileges and identity, especially during initial stages of an attack to assess the level of access. By monitoring for unusual or unauthorized executions of whoami, this analytic helps in identifying potential reconnaissance activities, enabling security teams to take action before the attacker escalates privileges or conducts further malicious operations. +description: The following analytic detects the suspicious use of the whoami command, + which may indicate an attacker trying to gather information about the current user + account on a compromised system. The whoami command is commonly used to verify user + privileges and identity, especially during initial stages of an attack to assess + the level of access. By monitoring for unusual or unauthorized executions of whoami, + this analytic helps in identifying potential reconnaissance activities, enabling + security teams to take action before the attacker escalates privileges or conducts + further malicious operations. data_source: - Linux Auditd Syscall -search: '`linux_auditd` type=SYSCALL comm=whoami OR exe= "*/whoami" | rename host as dest | stats count min(_time) as firstTime max(_time) as lastTime by comm exe SYSCALL UID ppid pid dest success | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_whoami_user_discovery_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. +search: '`linux_auditd` type=SYSCALL comm=whoami OR exe= "*/whoami" | rename host + as dest | stats count min(_time) as firstTime max(_time) as lastTime by comm exe SYSCALL + UID ppid pid dest success | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| + `linux_auditd_whoami_user_discovery_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + which is essential for correctly parsing and categorizing the data. The next step + involves normalizing the field names to match the field names set by the Splunk + Common Information Model (CIM) to ensure consistency across different data sources + and enhance the efficiency of data modeling. This approach enables effective monitoring + and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. references: - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html - https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS @@ -20,7 +39,12 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: @@ -48,6 +72,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/linux_auditd_whoami/linux_auditd_whoami.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/linux_auditd_whoami/linux_auditd_whoami.log source: /var/log/audit/audit.log sourcetype: linux:audit diff --git a/detections/endpoint/print_spooler_failed_to_load_a_plug_in.yml b/detections/endpoint/print_spooler_failed_to_load_a_plug_in.yml index 13f823f51e..40f522d2cb 100644 --- a/detections/endpoint/print_spooler_failed_to_load_a_plug_in.yml +++ b/detections/endpoint/print_spooler_failed_to_load_a_plug_in.yml @@ -1,16 +1,28 @@ name: Print Spooler Failed to Load a Plug-in id: 1adc9548-da7c-11eb-8f13-acde48001122 version: 4 -date: '2025-01-20' +date: '2024-11-13' author: Mauricio Velazco, Michael Haag, Splunk status: production type: TTP -description: The following analytic detects driver load errors in the Windows PrintService Admin logs, specifically identifying issues related to CVE-2021-34527 (PrintNightmare). It triggers on error messages indicating the print spooler failed to load a plug-in module, such as "meterpreter.dll," with error code 0x45A. This detection method leverages specific event codes and error messages. This activity is significant as it may indicate an exploitation attempt of a known vulnerability. If confirmed malicious, an attacker could gain unauthorized code execution on the affected system, leading to potential system compromise. +description: The following analytic detects driver load errors in the Windows PrintService + Admin logs, specifically identifying issues related to CVE-2021-34527 (PrintNightmare). + It triggers on error messages indicating the print spooler failed to load a plug-in + module, such as "meterpreter.dll," with error code 0x45A. This detection method + leverages specific event codes and error messages. This activity is significant + as it may indicate an exploitation attempt of a known vulnerability. If confirmed + malicious, an attacker could gain unauthorized code execution on the affected system, + leading to potential system compromise. data_source: - Windows Event Log Printservice 808 - Windows Event Log Printservice 4909 -search: '`printservice` ((ErrorCode="0x45A" (EventCode="808" OR EventCode="4909")) OR ("The print spooler failed to load a plug-in module" OR "\\drivers\\x64\\")) | stats count min(_time) as firstTime max(_time) as lastTime by OpCode EventCode ComputerName Message | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `print_spooler_failed_to_load_a_plug_in_filter`' -how_to_implement: You will need to ensure PrintService Admin and Operational logs are being logged to Splunk from critical or all systems. +search: '`printservice` ((ErrorCode="0x45A" (EventCode="808" OR EventCode="4909")) + OR ("The print spooler failed to load a plug-in module" OR "\\drivers\\x64\\")) + | stats count min(_time) as firstTime max(_time) as lastTime by OpCode EventCode + ComputerName Message | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `print_spooler_failed_to_load_a_plug_in_filter`' +how_to_implement: You will need to ensure PrintService Admin and Operational logs + are being logged to Splunk from critical or all systems. known_false_positives: False positives are unknown and filtering may be required. references: - https://www.truesec.com/hub/blog/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available @@ -22,7 +34,12 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$ComputerName$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$ComputerName$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$ComputerName$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: @@ -51,6 +68,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/windows-printservice_admin.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/windows-printservice_admin.log source: WinEventLog:Microsoft-Windows-PrintService/Admin sourcetype: WinEventLog diff --git a/detections/endpoint/windows_service_creation.yml b/detections/endpoint/windows_service_creation_using_registry_entry.yml similarity index 55% rename from detections/endpoint/windows_service_creation.yml rename to detections/endpoint/windows_service_creation_using_registry_entry.yml index 1df59c5f1f..c5692d89f0 100644 --- a/detections/endpoint/windows_service_creation.yml +++ b/detections/endpoint/windows_service_creation_using_registry_entry.yml @@ -1,25 +1,32 @@ -name: Windows Service Creation +name: Windows Service Creation Using Registry Entry id: 25212358-948e-11ec-ad47-acde48001122 version: 8 -date: '2025-01-03' +date: '2025-01-20' author: Teoderick Contreras, Splunk, Steven Dick status: production type: Anomaly -description: The following analytic detects modifications to the "ImagePath" registry value part of registry keys that define Windows services "HKLM\\System\\CurrentControlSet\\Services\\*". This activity can be significant because it indicates potential unauthorized service creation, a common persistence technique used by attackers. If confirmed malicious, this could allow an attacker to maintain access, escalate privileges, or move laterally within the network, leading to data theft, ransomware, or other damaging outcomes. +description: The following analytic detects the modification of registry keys that + define Windows services using reg.exe. This detection leverages Splunk to search + for specific keywords in the registry path, value name, and value data fields. This + activity is significant because it indicates potential unauthorized changes to service + configurations, a common persistence technique used by attackers. If confirmed malicious, + this could allow an attacker to maintain access, escalate privileges, or move laterally + within the network, leading to data theft, ransomware, or other damaging outcomes. data_source: - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE (Registry.registry_path="*\\SYSTEM\\CurrentControlSet\\Services\\*" Registry.registry_value_name - = ImagePath) BY Registry.dest Registry.user Registry.registry_path +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\SYSTEM\\CurrentControlSet\\Services*" + Registry.registry_value_name = ImagePath) BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_creation_filter`' + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_creation_using_registry_entry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 -known_false_positives: Third party tools may used this technique to create services but not so common. +known_false_positives: Third party tools may used this technique to create services + but not so common. references: - https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1574.011/T1574.011.md drilldown_searches: @@ -28,7 +35,12 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: @@ -59,6 +71,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.011/change_registry_path_service/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.011/change_registry_path_service/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: XmlWinEventLog + sourcetype: XmlWinEventLog \ No newline at end of file From 8b128feb637cc46d167a798092fcadad1da0454a Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Thu, 23 Jan 2025 15:18:41 +0100 Subject: [PATCH 31/37] fix typo --- detections/endpoint/linux_auditd_auditd_service_stop.yml | 2 +- .../endpoint/linux_auditd_disable_or_modify_system_firewall.yml | 2 +- detections/endpoint/linux_auditd_doas_conf_file_creation.yml | 2 +- detections/endpoint/linux_auditd_osquery_service_stop.yml | 2 +- .../endpoint/linux_auditd_preload_hijack_via_preload_file.yml | 2 +- detections/endpoint/linux_auditd_sysmon_service_stop.yml | 2 +- .../linux_auditd_unix_shell_configuration_modification.yml | 2 +- detections/endpoint/print_spooler_failed_to_load_a_plug_in.yml | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/detections/endpoint/linux_auditd_auditd_service_stop.yml b/detections/endpoint/linux_auditd_auditd_service_stop.yml index 301ca8ce13..228ac764f5 100644 --- a/detections/endpoint/linux_auditd_auditd_service_stop.yml +++ b/detections/endpoint/linux_auditd_auditd_service_stop.yml @@ -46,7 +46,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A service event - [$type$] event occured on host - [$dest$]. + message: A service event - [$type$] event occurred on host - [$dest$]. risk_objects: - field: dest type: system diff --git a/detections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml b/detections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml index fe40910ff2..2e53a48f0c 100644 --- a/detections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml +++ b/detections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml @@ -46,7 +46,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A service event - [$type$] to disable or modify system firewall occured + message: A service event - [$type$] to disable or modify system firewall occurred on host - [$dest$] . risk_objects: - field: dest diff --git a/detections/endpoint/linux_auditd_doas_conf_file_creation.yml b/detections/endpoint/linux_auditd_doas_conf_file_creation.yml index b5d39b01ed..35d7bc3e8a 100644 --- a/detections/endpoint/linux_auditd_doas_conf_file_creation.yml +++ b/detections/endpoint/linux_auditd_doas_conf_file_creation.yml @@ -47,7 +47,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A [$type$] event occured on host - [$dest$] to create a doas.conf file. + message: A [$type$] event occurred on host - [$dest$] to create a doas.conf file. risk_objects: - field: dest type: system diff --git a/detections/endpoint/linux_auditd_osquery_service_stop.yml b/detections/endpoint/linux_auditd_osquery_service_stop.yml index 7d488b6bc3..e1ba5b69d9 100644 --- a/detections/endpoint/linux_auditd_osquery_service_stop.yml +++ b/detections/endpoint/linux_auditd_osquery_service_stop.yml @@ -47,7 +47,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A service event - [$type$] event occured on host - [$dest$] to stop the + message: A service event - [$type$] event occurred on host - [$dest$] to stop the osquery service. risk_objects: - field: dest diff --git a/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml b/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml index 1090b25606..2d5b8c3d5e 100644 --- a/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml +++ b/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml @@ -47,7 +47,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A [$type$] event has occured on host - [$dest$] to modify the preload file. + message: A [$type$] event has occurred on host - [$dest$] to modify the preload file. risk_objects: - field: dest type: system diff --git a/detections/endpoint/linux_auditd_sysmon_service_stop.yml b/detections/endpoint/linux_auditd_sysmon_service_stop.yml index fd87cbaabc..64021b8def 100644 --- a/detections/endpoint/linux_auditd_sysmon_service_stop.yml +++ b/detections/endpoint/linux_auditd_sysmon_service_stop.yml @@ -46,7 +46,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A service event - [$type$] event occured on host - [$dest$] to stop or + message: A service event - [$type$] event occurred on host - [$dest$] to stop or disable the sysmon service. risk_objects: - field: dest diff --git a/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml b/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml index 43a4fbf7f8..50d90725bc 100644 --- a/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml +++ b/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml @@ -53,7 +53,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A [$type$] event occured on host - [$dest$] to modify the unix shell configuration + message: A [$type$] event occurred on host - [$dest$] to modify the unix shell configuration file. risk_objects: - field: dest diff --git a/detections/endpoint/print_spooler_failed_to_load_a_plug_in.yml b/detections/endpoint/print_spooler_failed_to_load_a_plug_in.yml index 40f522d2cb..5e37c7894e 100644 --- a/detections/endpoint/print_spooler_failed_to_load_a_plug_in.yml +++ b/detections/endpoint/print_spooler_failed_to_load_a_plug_in.yml @@ -43,7 +43,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: Suspicious printer spooler errors have occured on endpoint $ComputerName$ + message: Suspicious printer spooler errors have occurred on endpoint $ComputerName$ with EventCode $EventCode$. risk_objects: - field: ComputerName From aa1c8fab2d3f6699fc7d274fd342f2b0a3c2bf83 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Thu, 23 Jan 2025 15:25:13 +0100 Subject: [PATCH 32/37] add missing eol --- detections/endpoint/linux_auditd_add_user_account.yml | 2 +- detections/endpoint/linux_auditd_add_user_account_type.yml | 2 +- detections/endpoint/linux_auditd_at_application_execution.yml | 2 +- detections/endpoint/linux_auditd_auditd_service_stop.yml | 2 +- detections/endpoint/linux_auditd_base64_decode_files.yml | 2 +- ...linux_auditd_data_transfer_size_limits_via_split_syscall.yml | 2 +- detections/endpoint/linux_auditd_dd_file_overwrite.yml | 2 +- .../endpoint/linux_auditd_disable_or_modify_system_firewall.yml | 2 +- detections/endpoint/linux_auditd_doas_conf_file_creation.yml | 2 +- detections/endpoint/linux_auditd_doas_tool_execution.yml | 2 +- detections/endpoint/linux_auditd_edit_cron_table_parameter.yml | 2 +- .../endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml | 2 +- .../endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml | 2 +- detections/endpoint/linux_auditd_osquery_service_stop.yml | 2 +- ...ditd_possible_access_or_modification_of_sshd_config_file.yml | 2 +- .../linux_auditd_possible_access_to_credential_files.yml | 2 +- .../endpoint/linux_auditd_possible_access_to_sudoers_file.yml | 1 - .../linux_auditd_private_keys_and_certificate_enumeration.yml | 2 +- 18 files changed, 17 insertions(+), 18 deletions(-) diff --git a/detections/endpoint/linux_auditd_add_user_account.yml b/detections/endpoint/linux_auditd_add_user_account.yml index 5de241fc97..900f4b6a4e 100644 --- a/detections/endpoint/linux_auditd_add_user_account.yml +++ b/detections/endpoint/linux_auditd_add_user_account.yml @@ -73,4 +73,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/linux_auditd_add_user/linux_auditd_add_user.log source: /var/log/audit/audit.log - sourcetype: linux:audit \ No newline at end of file + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_add_user_account_type.yml b/detections/endpoint/linux_auditd_add_user_account_type.yml index ae4cde478a..929dd08741 100644 --- a/detections/endpoint/linux_auditd_add_user_account_type.yml +++ b/detections/endpoint/linux_auditd_add_user_account_type.yml @@ -72,4 +72,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/linux_auditd_add_user_type/linux_auditd_add_user_type.log source: /var/log/audit/audit.log - sourcetype: linux:audit \ No newline at end of file + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_at_application_execution.yml b/detections/endpoint/linux_auditd_at_application_execution.yml index 84a3cd77c9..da29fe7c02 100644 --- a/detections/endpoint/linux_auditd_at_application_execution.yml +++ b/detections/endpoint/linux_auditd_at_application_execution.yml @@ -78,4 +78,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/linux_auditd_at/linux_auditd_at_execution.log source: /var/log/audit/audit.log - sourcetype: linux:audit \ No newline at end of file + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_auditd_service_stop.yml b/detections/endpoint/linux_auditd_auditd_service_stop.yml index 228ac764f5..8efe47b2f9 100644 --- a/detections/endpoint/linux_auditd_auditd_service_stop.yml +++ b/detections/endpoint/linux_auditd_auditd_service_stop.yml @@ -72,4 +72,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_auditd_auditd_service_stop/linux_auditd_auditd_service_stop.log source: /var/log/audit/audit.log - sourcetype: linux:audit \ No newline at end of file + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_base64_decode_files.yml b/detections/endpoint/linux_auditd_base64_decode_files.yml index 796827f658..c3afef3870 100644 --- a/detections/endpoint/linux_auditd_base64_decode_files.yml +++ b/detections/endpoint/linux_auditd_base64_decode_files.yml @@ -76,4 +76,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/linux_auditd_chown_root/linux_auditd_chown_root.log source: /var/log/audit/audit.log - sourcetype: linux:audit \ No newline at end of file + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml index f78ea55eae..835309e3f6 100644 --- a/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml +++ b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml @@ -74,4 +74,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1030/linux_auditd_split_syscall/linux_auditd_split_syscall.log source: /var/log/audit/audit.log - sourcetype: linux:audit \ No newline at end of file + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_dd_file_overwrite.yml b/detections/endpoint/linux_auditd_dd_file_overwrite.yml index 9d205070c0..a37c14e655 100644 --- a/detections/endpoint/linux_auditd_dd_file_overwrite.yml +++ b/detections/endpoint/linux_auditd_dd_file_overwrite.yml @@ -73,4 +73,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/linux_auditd_dd_overwrite/linux_auditd_dd_overwrite.log source: /var/log/audit/audit.log - sourcetype: linux:audit \ No newline at end of file + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml b/detections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml index 2e53a48f0c..5dfd17febc 100644 --- a/detections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml +++ b/detections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml @@ -74,4 +74,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.004/linux_auditd_disable_firewall/linux_auditd_disable_firewall.log source: /var/log/audit/audit.log - sourcetype: linux:audit \ No newline at end of file + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_doas_conf_file_creation.yml b/detections/endpoint/linux_auditd_doas_conf_file_creation.yml index 35d7bc3e8a..6eea3f2bdf 100644 --- a/detections/endpoint/linux_auditd_doas_conf_file_creation.yml +++ b/detections/endpoint/linux_auditd_doas_conf_file_creation.yml @@ -73,4 +73,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_audited_doas_conf/linux_audited_doas_conf.log source: /var/log/audit/audit.log - sourcetype: linux:audit \ No newline at end of file + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_doas_tool_execution.yml b/detections/endpoint/linux_auditd_doas_tool_execution.yml index 77245c77c3..14483461ca 100644 --- a/detections/endpoint/linux_auditd_doas_tool_execution.yml +++ b/detections/endpoint/linux_auditd_doas_tool_execution.yml @@ -74,4 +74,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_auditd_doas/linux_auditd_doas.log source: /var/log/audit/audit.log - sourcetype: linux:audit \ No newline at end of file + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml b/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml index 4ad3409e1e..abcf36a2c5 100644 --- a/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml +++ b/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml @@ -76,4 +76,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit/linux_auditd_crontab_edit.log source: /var/log/audit/audit.log - sourcetype: linux:audit \ No newline at end of file + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml b/detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml index ca781680fa..85736a7952 100644 --- a/detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml +++ b/detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml @@ -75,4 +75,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_rmmod/linux_auditd_rmmod.log source: /var/log/audit/audit.log - sourcetype: linux:audit \ No newline at end of file + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml b/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml index 9b21168ed5..2f6788506b 100644 --- a/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml +++ b/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml @@ -75,4 +75,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_auditd_nopasswd/linux_auditd_nopasswd.log source: /var/log/audit/audit.log - sourcetype: linux:audit \ No newline at end of file + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_osquery_service_stop.yml b/detections/endpoint/linux_auditd_osquery_service_stop.yml index e1ba5b69d9..edf2a44c84 100644 --- a/detections/endpoint/linux_auditd_osquery_service_stop.yml +++ b/detections/endpoint/linux_auditd_osquery_service_stop.yml @@ -74,4 +74,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_auditd_osquerd_service_stop/linux_auditd_osquerd_service_stop.log source: /var/log/audit/audit.log - sourcetype: linux:audit \ No newline at end of file + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml b/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml index 68d0ffc22c..965112d606 100644 --- a/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml +++ b/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml @@ -76,4 +76,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.004/linux_auditd_nopasswd/linux_auditd_ssh_config.log source: /var/log/audit/audit.log - sourcetype: linux:audit \ No newline at end of file + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml b/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml index 3a4c356dff..ce1805c364 100644 --- a/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml +++ b/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml @@ -77,4 +77,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.008/linux_auditd_access_credential/linux_auditd_access_credential.log source: /var/log/audit/audit.log - sourcetype: linux:audit \ No newline at end of file + sourcetype: linux:audit diff --git a/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml b/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml index e9c03d6886..89197c710b 100644 --- a/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml +++ b/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml @@ -75,4 +75,3 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_auditd_sudoers_access/linux_auditd_sudoers_access.log source: /var/log/audit/audit.log sourcetype: linux:audit - \ No newline at end of file diff --git a/detections/endpoint/linux_auditd_private_keys_and_certificate_enumeration.yml b/detections/endpoint/linux_auditd_private_keys_and_certificate_enumeration.yml index 2ff0bce4f1..1769ff5a99 100644 --- a/detections/endpoint/linux_auditd_private_keys_and_certificate_enumeration.yml +++ b/detections/endpoint/linux_auditd_private_keys_and_certificate_enumeration.yml @@ -76,4 +76,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_modprobe/linux_auditd_modprobe.log source: /var/log/audit/audit.log - sourcetype: linux:audit \ No newline at end of file + sourcetype: linux:audit From 3228a5a53e55bfb2bb1fd99a6376d3d7e8948ae2 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Thu, 23 Jan 2025 15:26:29 +0100 Subject: [PATCH 33/37] Update linux_auditd_base64_decode_files.yml --- .../linux_auditd_base64_decode_files.yml | 54 +++++++++---------- 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/detections/endpoint/linux_auditd_base64_decode_files.yml b/detections/endpoint/linux_auditd_base64_decode_files.yml index c3afef3870..57b3c91b7f 100644 --- a/detections/endpoint/linux_auditd_base64_decode_files.yml +++ b/detections/endpoint/linux_auditd_base64_decode_files.yml @@ -1,24 +1,25 @@ -name: Linux Auditd Change File Owner To Root -id: 7b87c556-0ca4-47e0-b84c-6cd62a0a3e90 -version: 4 +name: Linux Auditd Base64 Decode Files +id: 5890ba10-4e48-4dc0-8a40-3e1ebe75e737 +version: 3 date: '2024-11-13' author: Teoderick Contreras, Splunk status: production -type: TTP -description: The following analytic detects the use of the 'chown' command to change - a file owner to 'root' on a Linux system. It leverages Linux Auditd telemetry, specifically - monitoring command-line executions and process details. This activity is significant - as it may indicate an attempt to escalate privileges by adversaries, malware, or - red teamers. If confirmed malicious, this action could allow an attacker to gain - root-level access, leading to full control over the compromised host and potential - persistence within the environment. +type: Anomaly +description: The following analytic detects suspicious Base64 decode operations that + may indicate malicious activity, such as data exfiltration or execution of encoded + commands. Base64 is commonly used to encode data for safe transmission, but attackers + may abuse it to conceal malicious payloads. This detection focuses on identifying + unusual or unexpected Base64 decoding processes, particularly when associated with + critical files or directories. By monitoring these activities, the analytic helps + uncover potential threats, enabling security teams to respond promptly and mitigate + risks associated with encoded malware or unauthorized data access. data_source: -- Linux Auditd Proctitle -search: '`linux_auditd` `linux_auditd_normalized_proctitle_process`| rename host as - dest | where LIKE (process_exec, "%chown %root%") | stats count min(_time) as firstTime - max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter - dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| - `linux_auditd_change_file_owner_to_root_filter`' +- Linux Auditd Execve +search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as + dest | where LIKE(process_exec, "%base64%") AND (LIKE(process_exec, "%-d %") OR + LIKE(process_exec, "% --d%")) | stats count min(_time) as firstTime max(_time) as + lastTime by argc process_exec dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| + `linux_auditd_base64_decode_files_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested @@ -28,11 +29,11 @@ how_to_implement: To implement this detection, the process begins by ingesting a Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can execute this command. - Please update the filter macros to remove false positives. +known_false_positives: Administrator or network operator can use this application + for automation purposes. Please update the filter macros to remove false positives. references: -- https://unix.stackexchange.com/questions/101073/how-to-change-permissions-from-root-user-to-all-users -- https://askubuntu.com/questions/617850/changing-from-user-to-superuser +- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html +- https://gtfobins.github.io/gtfobins/dd/ drilldown_searches: - name: View the detection results for - "$dest$" search: '%original_detection_search% | search dest = "$dest$"' @@ -48,12 +49,12 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A [$process_exec$] event occurred on host - [$dest$] to change a file owner - to root. + message: A [$process_exec$] event occurred on host - [$dest$] to decode a file using + base64. risk_objects: - field: dest type: system - score: 64 + score: 25 threat_objects: [] tags: analytic_story: @@ -63,8 +64,7 @@ tags: - Compromised Linux Host asset_type: Endpoint mitre_attack_id: - - T1222.002 - - T1222 + - T1140 product: - Splunk Enterprise - Splunk Enterprise Security @@ -74,6 +74,6 @@ tests: - name: True Positive Test attack_data: - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/linux_auditd_chown_root/linux_auditd_chown_root.log + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1140/linux_auditd_base64/linux_auditd_base64.log source: /var/log/audit/audit.log sourcetype: linux:audit From 4b3b3d999353e22512fb193347b58f193dbb5db9 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Thu, 23 Jan 2025 15:32:11 +0100 Subject: [PATCH 34/37] Update linux_auditd_private_keys_and_certificate_enumeration.yml --- ...ivate_keys_and_certificate_enumeration.yml | 60 ++++++------------- 1 file changed, 17 insertions(+), 43 deletions(-) diff --git a/detections/endpoint/linux_auditd_private_keys_and_certificate_enumeration.yml b/detections/endpoint/linux_auditd_private_keys_and_certificate_enumeration.yml index 1769ff5a99..0e5f984f6a 100644 --- a/detections/endpoint/linux_auditd_private_keys_and_certificate_enumeration.yml +++ b/detections/endpoint/linux_auditd_private_keys_and_certificate_enumeration.yml @@ -1,55 +1,30 @@ -name: Linux Auditd Install Kernel Module Using Modprobe Utility -id: 95165985-ace5-4d42-9c42-93a89a5af901 -version: 3 -date: '2024-11-13' +name: Linux Auditd Private Keys and Certificate Enumeration +id: 80bb9988-190b-4ee0-a3c3-509545a8f678 +version: 4 +date: '2025-01-15' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the installation of a Linux kernel module - using the modprobe utility. It leverages data from Linux Auditd, focusing on process - names and command-line executions. This activity is significant because installing - a kernel module can indicate an attempt to deploy a rootkit or other malicious kernel-level - code, potentially leading to elevated privileges and bypassing security detections. - If confirmed malicious, this could allow an attacker to gain persistent, high-level - access to the system, compromising its integrity and security. +description: The following analytic detects suspicious attempts to find private keys, which may indicate an attacker's effort to access sensitive cryptographic information. Private keys are crucial for securing encrypted communications and data, and unauthorized access to them can lead to severe security breaches, including data decryption and identity theft. By monitoring for unusual or unauthorized searches for private keys, this analytic helps identify potential threats to cryptographic security, enabling security teams to take swift action to protect the integrity and confidentiality of encrypted information. data_source: -- Linux Auditd Syscall -search: '`linux_auditd` type=SYSCALL comm=modprobe | rename host as dest | stats count - min(_time) as firstTime max(_time) as lastTime by comm exe SYSCALL UID ppid pid - success dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| - `linux_auditd_install_kernel_module_using_modprobe_utility_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd - data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line - executions and process details on Unix/Linux systems. These logs should be ingested - and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), - which is essential for correctly parsing and categorizing the data. The next step - involves normalizing the field names to match the field names set by the Splunk - Common Information Model (CIM) to ensure consistency across different data sources - and enhance the efficiency of data modeling. This approach enables effective monitoring - and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can execute this command. - Please update the filter macros to remove false positives. +- Linux Auditd Execve +search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as dest | rename comm as process_name | rename exe as process | where (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%.pem%") OR LIKE (process_exec, "%.cer%") OR LIKE (process_exec, "%.crt%") OR LIKE (process_exec, "%.pgp%") OR LIKE (process_exec, "%.key%") OR LIKE (process_exec, "%.gpg%")OR LIKE (process_exec, "%.ppk%") OR LIKE (process_exec, "%.p12%") OR LIKE (process_exec, "%.pfx%")OR LIKE (process_exec, "%.p7b%")) | stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `linux_auditd_private_keys_and_certificate_enumeration_filter`' +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: -- https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/kernel-module-driver-configuration/Working_with_Kernel_Modules/ -- https://security.stackexchange.com/questions/175953/how-to-load-a-malicious-lkm-at-startup -- https://0x00sec.org/t/kernel-rootkits-getting-your-hands-dirty/1485 +- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html +- https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS drilldown_searches: - name: View the detection results for - "$dest$" search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") - starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime - values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) - as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) - as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A SYSCALL - [$comm$] event was executed on host - [$dest$] to install a - Linux kernel module using the modprobe utility. + message: A [$process_exec$] event occurred on host - [$dest$] to find private keys. risk_objects: - field: dest type: system @@ -57,14 +32,14 @@ rba: threat_objects: [] tags: analytic_story: + - Linux Living Off The Land - Linux Privilege Escalation - - Linux Rootkit - Linux Persistence Techniques - Compromised Linux Host asset_type: Endpoint mitre_attack_id: - - T1547.006 - - T1547 + - T1552.004 + - T1552 product: - Splunk Enterprise - Splunk Enterprise Security @@ -73,7 +48,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_modprobe/linux_auditd_modprobe.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.004/linux_auditd_find_gpg/linux_auditd_find_gpg.log source: /var/log/audit/audit.log sourcetype: linux:audit From fc93c664a9d1cd57aca52132c8a10bb6f7a9ce2c Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Thu, 23 Jan 2025 15:45:44 +0100 Subject: [PATCH 35/37] rollback changes to risk_notable_import_data files --- playbooks/risk_notable_import_data.json | 2 +- playbooks/risk_notable_import_data.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/playbooks/risk_notable_import_data.json b/playbooks/risk_notable_import_data.json index c9558e3e32..12f59821d9 100644 --- a/playbooks/risk_notable_import_data.json +++ b/playbooks/risk_notable_import_data.json @@ -136,7 +136,7 @@ "errors": {}, "id": "1", "type": "end", - "userCode": "\t\n # Error handling in case of playbook not being able to import data properly\n if not format_summary_note:\n raise RuntimeError(\"Error occurred during import data and summary note is missing\")\n \n # This function is called after all actions are completed.\n # summary of all the action and/or all details of actions\n # can be collected here.\n\n # summary_json = phantom.get_summary()\n # if 'result' in summary_json:\n # for action_result in summary_json['result']:\n # if 'action_run_id' in action_result:\n # action_results = phantom.get_action_results(action_run_id=action_result['action_run_id'], result_data=False, flatten=False)\n # phantom.debug(action_results)\n\n", + "userCode": "\t\n # Error handling in case of playbook not being able to import data properly\n if not format_summary_note:\n raise RuntimeError(\"Error occured during import data and summary note is missing\")\n \n # This function is called after all actions are completed.\n # summary of all the action and/or all details of actions\n # can be collected here.\n\n # summary_json = phantom.get_summary()\n # if 'result' in summary_json:\n # for action_result in summary_json['result']:\n # if 'action_run_id' in action_result:\n # action_results = phantom.get_action_results(action_run_id=action_result['action_run_id'], result_data=False, flatten=False)\n # phantom.debug(action_results)\n\n", "x": 960, "y": 1800 }, diff --git a/playbooks/risk_notable_import_data.py b/playbooks/risk_notable_import_data.py index d12c554957..f699597c80 100644 --- a/playbooks/risk_notable_import_data.py +++ b/playbooks/risk_notable_import_data.py @@ -579,7 +579,7 @@ def on_finish(container, summary): # Error handling in case of playbook not being able to import data properly if not format_summary_note: - raise RuntimeError("Error occurred during import data and summary note is missing") + raise RuntimeError("Error occured during import data and summary note is missing") # This function is called after all actions are completed. # summary of all the action and/or all details of actions From 2f060093104265a778cf312f2c3fd0f4fae0cc94 Mon Sep 17 00:00:00 2001 From: research-bot Date: Thu, 23 Jan 2025 15:14:57 -0800 Subject: [PATCH 36/37] ctl version to alpha3 --- .github/workflows/appinspect.yml | 2 +- .github/workflows/build.yml | 2 +- .github/workflows/unit-testing.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/appinspect.yml b/.github/workflows/appinspect.yml index 74d4aeab10..4c99832ebe 100644 --- a/.github/workflows/appinspect.yml +++ b/.github/workflows/appinspect.yml @@ -18,7 +18,7 @@ jobs: - name: Install Python Dependencies and ContentCTL and Atomic Red Team run: | - pip install contentctl==v5.0.0-alpha.2 + pip install contentctl==v5.0.0-alpha.3 git clone --depth=1 --single-branch --branch=master https://github.com/redcanaryco/atomic-red-team.git external_repos/atomic-red-team git clone --depth=1 --single-branch --branch=master https://github.com/mitre/cti external_repos/cti diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 2437aea9fe..752e516e3f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -19,7 +19,7 @@ jobs: - name: Install Python Dependencies and ContentCTL and Atomic Red Team run: | - pip install contentctl==v5.0.0-alpha.2 + pip install contentctl==v5.0.0-alpha.3 git clone --depth=1 --single-branch --branch=master https://github.com/redcanaryco/atomic-red-team.git external_repos/atomic-red-team git clone --depth=1 --single-branch --branch=master https://github.com/mitre/cti external_repos/cti diff --git a/.github/workflows/unit-testing.yml b/.github/workflows/unit-testing.yml index 4de315ba24..925207f4cb 100644 --- a/.github/workflows/unit-testing.yml +++ b/.github/workflows/unit-testing.yml @@ -23,7 +23,7 @@ jobs: - name: Install Python Dependencies and ContentCTL run: | python -m pip install --upgrade pip - pip install contentctl==v5.0.0-alpha.2 + pip install contentctl==v5.0.0-alpha.3 # Running contentctl test with a few arguments, before running the command make sure you checkout into the current branch of the pull request. This step only performs unit testing on all the changes against the target-branch. In most cases this target branch will be develop # Make sure we check out the PR, even if it actually lives in a fork From ca11fc70beb1dbbe05d1f25d55defe2b476102e1 Mon Sep 17 00:00:00 2001 From: research-bot Date: Thu, 23 Jan 2025 17:15:55 -0800 Subject: [PATCH 37/37] updating spl to output dest --- ...loading_dotnet_into_memory_via_reflection.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml b/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml index a98579a280..cab7babf13 100644 --- a/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml +++ b/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml @@ -8,7 +8,7 @@ type: Anomaly data_source: - Powershell Script Block Logging 4104 description: The following analytic detects the use of PowerShell scripts to load .NET assemblies into memory via reflection, a technique often used in malicious activities such as those by Empire and Cobalt Strike. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze the full command executed. This behavior is significant as it can indicate advanced attack techniques aiming to execute code in memory, bypassing traditional defenses. If confirmed malicious, this activity could lead to unauthorized code execution, privilege escalation, and persistent access within the environment. -search: '`powershell` EventCode=4104 ScriptBlockText IN ("*Reflection.Assembly]::Load*", "*Reflection.Assembly.Load*", "*UnsafeLoadFrom*", "*.LoadFrom(*", "*.LoadModule(*", "*.LoadWithPartialName*", "*ReflectionOnlyLoad*") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_loading_dotnet_into_memory_via_reflection_filter`' +search: '`powershell` EventCode=4104 ScriptBlockText IN ("*Reflection.Assembly]::Load*", "*Reflection.Assembly.Load*", "*UnsafeLoadFrom*", "*.LoadFrom(*", "*.LoadModule(*", "*.LoadWithPartialName*", "*ReflectionOnlyLoad*") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest, UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_loading_dotnet_into_memory_via_reflection_filter`' how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. known_false_positives: False positives should be limited as day to day scripts do not use this method. references: @@ -18,20 +18,20 @@ references: - https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf - https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/ drilldown_searches: -- name: View the detection results for - "$Computer$" and "$user$" - search: '%original_detection_search% | search Computer = "$Computer$" user = "$user$"' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$Computer$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: message: A suspicious powershell script contains reflective class assembly command in $ScriptBlockText$ to load .net code in memory with EventCode $EventCode$ in - host $Computer$ + host $dest$ risk_objects: - - field: Computer + - field: dest type: system score: 56 - field: user @@ -60,4 +60,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/reflection.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational - sourcetype: XmlWinEventLog + sourcetype: XmlWinEventLog \ No newline at end of file