crypto_campaign

contentctl.yml

@@ -149,9 +149,9 @@ apps:
 - uid: 5556
   title: Splunk Add-on for Google Workspace
   appid: SPLUNK_ADD_ON_FOR_GOOGLE_WORKSPACE
-  version: 3.0.0
+  version: 3.0.1
   description: description of app
-  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-google-workspace_300.tgz
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-google-workspace_301.tgz
 - uid: 3110
   title: Splunk Add-on for Microsoft Cloud Services
   appid: SPLUNK_TA_MICROSOFT_CLOUD_SERVICES

data_sources/g_suite_drive.yml

@@ -9,7 +9,7 @@ sourcetype: gsuite:drive:json
 supported_TA:
 - name: Splunk Add-on for Google Workspace
   url: https://splunkbase.splunk.com/app/5556
-  version: 3.0.0
+  version: 3.0.1
 fields:
 - _time
 - email

data_sources/g_suite_gmail.yml

@@ -9,7 +9,7 @@ sourcetype: gsuite:gmail:bigquery
 supported_TA:
 - name: Splunk Add-on for Google Workspace
   url: https://splunkbase.splunk.com/app/5556
-  version: 3.0.0
+  version: 3.0.1
 fields:
 - _time
 - action_type

data_sources/google_workspace_login_failure.yml

@@ -10,7 +10,7 @@ separator: event.name
 supported_TA:
 - name: Splunk Add-on for Google Workspace
   url: https://splunkbase.splunk.com/app/5556
-  version: 3.0.0
+  version: 3.0.1
 fields:
 - _time
 - actor.email

data_sources/google_workspace_login_success.yml

@@ -10,7 +10,7 @@ separator: event.name
 supported_TA:
 - name: Splunk Add-on for Google Workspace
   url: https://splunkbase.splunk.com/app/5556
-  version: 3.0.0
+  version: 3.0.1
 fields:
 - _time
 - actor.email

detections/endpoint/windows_lateral_tool_transfer_remcom.yml → detections/deprecated/windows_lateral_tool_transfer_remcom.yml

@@ -1,15 +1,15 @@
 name: Windows Lateral Tool Transfer RemCom
 id: e373a840-5bdc-47ef-b2fd-9cc7aaf387f0
-version: 4
-date: '2024-09-30'
+version: 5
+date: '2024-12-10'
 author: Michael Haag, Splunk
 type: TTP
-status: production
+status: deprecated
 data_source:
 - Sysmon EventID 1
 - Windows Event Log Security 4688
 - CrowdStrike ProcessRollup2
-description: The following analytic identifies the execution of RemCom.exe, an open-source alternative to PsExec, used for lateral movement and remote command execution. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, original file names, and command-line arguments. This activity is significant as it indicates potential lateral movement within the network. If confirmed malicious, this could allow an attacker to execute commands remotely, potentially leading to further compromise and control over additional systems within the network.
+description: NOTE - This search is deprecated in favor of `Windows Service Execution RemCom` as the latter is a more accurate name for the detection. The following analytic identifies the execution of RemCom.exe, an open-source alternative to PsExec, used for lateral movement and remote command execution. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, original file names, and command-line arguments. This activity is significant as it indicates potential lateral movement within the network. If confirmed malicious, this could allow an attacker to execute commands remotely, potentially leading to further compromise and control over additional systems within the network.
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=remcom.exe OR Processes.original_file_name=RemCom.exe) Processes.process="*\\*" Processes.process IN ("*/user:*", "*/pwd:*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_lateral_tool_transfer_remcom_filter`'
 how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
 known_false_positives: False positives may be present based on Administrative use. Filter as needed.

detections/endpoint/active_setup_registry_autostart.yml

@@ -1,7 +1,7 @@
 name: Active Setup Registry Autostart
 id: f64579c0-203f-11ec-abcc-acde48001122
-version: 7
-date: '2024-11-14'
+version: 8
+date: '2024-12-08'
 author: Steven Dick, Teoderick Contreras, Splunk
 status: production
 type: TTP
@@ -17,7 +17,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime
   | `security_content_ctime(lastTime)`| `active_setup_registry_autostart_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting
   logs with the registry value name, registry path, and registry value data from your
-  endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical
+  endpoints. If you are using Sysmon, you must have at least version 2.0 of the official
   Sysmon TA. https://splunkbase.splunk.com/app/5709
 known_false_positives: Active setup installer may add or modify this registry.
 references:

detections/endpoint/add_defaultuser_and_password_in_registry.yml

@@ -1,7 +1,7 @@
 name: Add DefaultUser And Password In Registry
 id: d4a3eb62-0f1e-11ec-a971-acde48001122
-version: 7
-date: '2024-11-14'
+version: 8
+date: '2024-12-08'
 author: Teoderick Contreras, Splunk, Steven Dick
 status: production
 type: Anomaly
@@ -18,7 +18,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime
   | `add_defaultuser_and_password_in_registry_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting
   logs with the registry value name, registry path, and registry value data from your
-  endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical
+  endpoints. If you are using Sysmon, you must have at least version 2.0 of the official
   Sysmon TA. https://splunkbase.splunk.com/app/5709
 known_false_positives: unknown
 references:

detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml

@@ -1,7 +1,7 @@
 name: Allow Inbound Traffic By Firewall Rule Registry
 id: 0a46537c-be02-11eb-92ca-acde48001122
-version: 8
-date: '2024-11-14'
+version: 9
+date: '2024-12-08'
 author: Teoderick Contreras, Splunk, Steven Dick
 status: production
 type: TTP
@@ -18,7 +18,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime
   | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_inbound_traffic_by_firewall_rule_registry_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting
   logs with the registry value name, registry path, and registry value data from your
-  endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical
+  endpoints. If you are using Sysmon, you must have at least version 2.0 of the official
   Sysmon TA. https://splunkbase.splunk.com/app/5709
 known_false_positives: network admin may add/remove/modify public inbound firewall
   rule that may cause this rule to be triggered.

detections/endpoint/allow_operation_with_consent_admin.yml

@@ -1,7 +1,7 @@
 name: Allow Operation with Consent Admin
 id: 7de17d7a-c9d8-11eb-a812-acde48001122
-version: 7
-date: '2024-11-14'
+version: 8
+date: '2024-12-08'
 author: Teoderick Contreras, Splunk, Steven Dick
 status: production
 type: TTP
@@ -18,7 +18,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime
   | `security_content_ctime(lastTime)` | `allow_operation_with_consent_admin_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting
   logs with the registry value name, registry path, and registry value data from your
-  endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical
+  endpoints. If you are using Sysmon, you must have at least version 2.0 of the official
   Sysmon TA. https://splunkbase.splunk.com/app/5709
 known_false_positives: unknown
 references:

detections/endpoint/auto_admin_logon_registry_entry.yml

@@ -1,7 +1,7 @@
 name: Auto Admin Logon Registry Entry
 id: 1379d2b8-0f18-11ec-8ca3-acde48001122
-version: 7
-date: '2024-11-14'
+version: 8
+date: '2024-12-08'
 author: Teoderick Contreras, Splunk, Steven Dick
 status: production
 type: TTP
@@ -18,7 +18,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime
   | `auto_admin_logon_registry_entry_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting
   logs with the registry value name, registry path, and registry value data from your
-  endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical
+  endpoints. If you are using Sysmon, you must have at least version 2.0 of the official
   Sysmon TA. https://splunkbase.splunk.com/app/5709
 known_false_positives: unknown
 references:

detections/endpoint/common_ransomware_extensions.yml

@@ -1,18 +1,32 @@
 name: Common Ransomware Extensions
 id: a9e5c5db-db11-43ca-86a8-c852d1b2c0ec
-version: 7
-date: '2024-10-17'
+version: 8  
+date: '2024-12-12'
 author: David Dorsey, Michael Haag, Splunk, Steven Dick
 status: production
-type: Hunting
+type: TTP
 description: The following analytic detects modifications to files with extensions commonly associated with ransomware. It leverages the Endpoint.Filesystem data model to identify changes in file extensions that match known ransomware patterns. This activity is significant because it suggests an attacker is attempting to encrypt or alter files, potentially leading to severe data loss and operational disruption. If confirmed malicious, this activity could result in the encryption of critical data, rendering it inaccessible and causing significant damage to the organization's data integrity and availability.
 data_source:
 - Sysmon EventID 11
-search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime count latest(Filesystem.user) as user values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name Filesystem.dest _time span=1h | `drop_dm_object_name(Filesystem)` | rex field=file_name "(?<file_extension>\.[^\.]+)$" | rex field=file_path "(?<true_file_path>([^\\\]*\\\)*).*" | stats min(firstTime) as firstTime max(lastTime) as lastTime latest(user) as user dc(true_file_path) as path_count dc(file_name) as file_count latest(file_name) as file_name latest(true_file_path) as file_path by dest file_extension | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `ransomware_extensions` | where path_count > 1 OR file_count > 20 | `common_ransomware_extensions_filter`'
+search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime count latest(Filesystem.user) as user values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name Filesystem.dest _time span=1h 
+| `drop_dm_object_name(Filesystem)`
+| rex field=file_name "(?<file_extension>\.[^\.]+)$" 
+| rex field=file_path "(?<true_file_path>([^\\\]*\\\)*).*" 
+| stats min(firstTime) as firstTime max(lastTime) as lastTime latest(user) as user dc(true_file_path) as path_count dc(file_name) as file_count latest(true_file_path) as file_path by dest file_name
+| `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `ransomware_extensions` | where path_count > 1 OR file_count > 20 | `common_ransomware_extensions_filter`'
 how_to_implement: 'You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint Filesystem data model node. To see the additional metadata, add the following fields, if not already present, please review the detailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`'
 known_false_positives: It is possible for a legitimate file with these extensions to be created. If this is a true ransomware attack, there will be a large number of files created with these extensions.
 references:
 - https://github.com/splunk/security_content/issues/2448
+drilldown_searches:
+- name: View the detection results for - "$dest$" and "$user$"
+  search: '%original_detection_search% | search  dest = "$dest$" user = "$user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$" and "$user$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$","$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 tags:
   analytic_story:
   - SamSam Ransomware
@@ -25,7 +39,7 @@ tags:
   asset_type: Endpoint
   confidence: 100
   impact: 90
-  message: The device $dest$ wrote $file_count$ files to $path_count$ path(s) with the $file_extension$ extension. This extension and behavior may indicate a $Name$ ransomware attack.
+  message: The device $dest$ wrote $file_count$ files to $path_count$ path(s) with the $Extensions$ extension. This extension and behavior may indicate a $Name$ ransomware attack.
   mitre_attack_id:
   - T1485
   observable:

detections/endpoint/create_or_delete_windows_shares_using_net_exe.yml

@@ -1,7 +1,7 @@
 name: Create or delete windows shares using net exe
 id: 743a322c-9a68-4a0f-9c17-85d9cce2a27c
-version: 9
-date: '2024-09-30'
+version: 10
+date: '2024-12-12'
 author: Bhavin Patel, Splunk
 status: production
 type: TTP
@@ -10,7 +10,7 @@ data_source:
 - Sysmon EventID 1
 - Windows Event Log Security 4688
 - CrowdStrike ProcessRollup2
-search: '| tstats `security_content_summariesonly` count values(Processes.user) as user values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` by Processes.process Processes.process_name  Processes.parent_process_name Processes.original_file_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | search process=*share* | `create_or_delete_windows_shares_using_net_exe_filter`'
+search: '| tstats `security_content_summariesonly` count values(Processes.user) as user values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` by Processes.process Processes.process_name  Processes.parent_process_name Processes.original_file_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | search process IN ("*share* /delete*", "*share* /REMARK:*", "*share* /CACHE:*") | `create_or_delete_windows_shares_using_net_exe_filter`'
 how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
 known_false_positives: Administrators often leverage net.exe to create or delete network shares. You should verify that the activity was intentional and is legitimate.
 references:

detections/endpoint/creation_of_shadow_copy_with_wmic_and_powershell.yml

@@ -1,15 +1,15 @@
 name: Creation of Shadow Copy with wmic and powershell
 id: 2ed8b538-d284-449a-be1d-82ad1dbd186b
-version: '6'
-date: '2024-11-28'
+version: 7
+date: '2024-12-08'
 author: Patrick Bareiss, Splunk
 status: production
 type: TTP
 description: The following analytic detects the creation of shadow copies using "wmic"
   or "Powershell" commands. It leverages the Endpoint.Processes data model in Splunk
   to identify processes where the command includes "shadowcopy" and "create". This
   activity is significant because it may indicate an attacker attempting to manipulate
-  or access data unauthorizedly, potentially leading to data theft or manipulation.
+  or access data in an unauthorized manner, potentially leading to data theft or manipulation.
   If confirmed malicious, this behavior could allow attackers to backup and exfiltrate
   sensitive data or hide their tracks by restoring files to a previous state after
   an attack.
@@ -32,7 +32,7 @@ how_to_implement: The detection is based on data that originates from Endpoint D
   the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
   data model. Use the Splunk Common Information Model (CIM) to normalize the field
   names and speed up the data modeling process.
-known_false_positives: Legtimate administrator usage of wmic to create a shadow copy.
+known_false_positives: Legitimate administrator usage of wmic to create a shadow copy.
 references:
 - https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf
 - https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF

detections/endpoint/detect_new_local_admin_account.yml

@@ -1,15 +1,21 @@
 name: Detect New Local Admin account
 id: b25f6f62-0712-43c1-b203-083231ffd97d
-version: 5
-date: '2024-09-30'
+version: 6
+date: '2024-12-12'
 author: David Dorsey, Splunk
 status: production
 type: TTP
 description: The following analytic detects the creation of new accounts elevated to local administrators. It uses Windows event logs, specifically EventCode 4720 (user account creation) and EventCode 4732 (user added to Administrators group). This activity is significant as it indicates potential unauthorized privilege escalation, which is critical for SOC monitoring. If confirmed malicious, this could allow attackers to gain administrative access, leading to unauthorized data access, system modifications, and disruption of services. Immediate investigation is required to mitigate risks and prevent further unauthorized actions.
 data_source:
 - Windows Event Log Security 4732
 - Windows Event Log Security 4720
-search: '`wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators) | transaction src_user connected=false maxspan=180m | rename src_user as user | stats count min(_time) as firstTime max(_time) as lastTime by user dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_new_local_admin_account_filter`'
+search: '`wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators) 
+| transaction user dest connected=false maxspan=180m 
+| stats count min(_time) as firstTime max(_time) as lastTime dc(EventCode) as distinct_eventcodes by src_user user dest
+| where distinct_eventcodes>1
+| `security_content_ctime(firstTime)` 
+| `security_content_ctime(lastTime)`
+| `detect_new_local_admin_account_filter`'
 how_to_implement: You must be ingesting Windows event logs using the Splunk Windows TA and collecting event code 4720 and 4732
 known_false_positives: The activity may be legitimate. For this reason, it's best to verify the account with an administrator and ask whether there was a valid service request for the account creation. If your local administrator group name is not "Administrators", this search may generate an excessive number of false positives
 references: []