diff --git a/contentctl.yml b/contentctl.yml index e531b3f2a0..905ca78ed6 100644 --- a/contentctl.yml +++ b/contentctl.yml @@ -149,9 +149,9 @@ apps: - uid: 5556 title: Splunk Add-on for Google Workspace appid: SPLUNK_ADD_ON_FOR_GOOGLE_WORKSPACE - version: 3.0.0 + version: 3.0.1 description: description of app - hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-google-workspace_300.tgz + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-google-workspace_301.tgz - uid: 3110 title: Splunk Add-on for Microsoft Cloud Services appid: SPLUNK_TA_MICROSOFT_CLOUD_SERVICES diff --git a/data_sources/g_suite_drive.yml b/data_sources/g_suite_drive.yml index 8500cc62d8..788feab331 100644 --- a/data_sources/g_suite_drive.yml +++ b/data_sources/g_suite_drive.yml @@ -9,7 +9,7 @@ sourcetype: gsuite:drive:json supported_TA: - name: Splunk Add-on for Google Workspace url: https://splunkbase.splunk.com/app/5556 - version: 3.0.0 + version: 3.0.1 fields: - _time - email diff --git a/data_sources/g_suite_gmail.yml b/data_sources/g_suite_gmail.yml index 627b52c10d..57fb49fd50 100644 --- a/data_sources/g_suite_gmail.yml +++ b/data_sources/g_suite_gmail.yml @@ -9,7 +9,7 @@ sourcetype: gsuite:gmail:bigquery supported_TA: - name: Splunk Add-on for Google Workspace url: https://splunkbase.splunk.com/app/5556 - version: 3.0.0 + version: 3.0.1 fields: - _time - action_type diff --git a/data_sources/google_workspace_login_failure.yml b/data_sources/google_workspace_login_failure.yml index 39d15de2e6..690e895626 100644 --- a/data_sources/google_workspace_login_failure.yml +++ b/data_sources/google_workspace_login_failure.yml @@ -10,7 +10,7 @@ separator: event.name supported_TA: - name: Splunk Add-on for Google Workspace url: https://splunkbase.splunk.com/app/5556 - version: 3.0.0 + version: 3.0.1 fields: - _time - actor.email diff --git a/data_sources/google_workspace_login_success.yml b/data_sources/google_workspace_login_success.yml index cd8dc16048..00093874bd 100644 --- a/data_sources/google_workspace_login_success.yml +++ b/data_sources/google_workspace_login_success.yml @@ -10,7 +10,7 @@ separator: event.name supported_TA: - name: Splunk Add-on for Google Workspace url: https://splunkbase.splunk.com/app/5556 - version: 3.0.0 + version: 3.0.1 fields: - _time - actor.email diff --git a/detections/endpoint/windows_lateral_tool_transfer_remcom.yml b/detections/deprecated/windows_lateral_tool_transfer_remcom.yml similarity index 83% rename from detections/endpoint/windows_lateral_tool_transfer_remcom.yml rename to detections/deprecated/windows_lateral_tool_transfer_remcom.yml index 19a7cc815e..167e76f761 100644 --- a/detections/endpoint/windows_lateral_tool_transfer_remcom.yml +++ b/detections/deprecated/windows_lateral_tool_transfer_remcom.yml @@ -1,15 +1,15 @@ name: Windows Lateral Tool Transfer RemCom id: e373a840-5bdc-47ef-b2fd-9cc7aaf387f0 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-12-10' author: Michael Haag, Splunk type: TTP -status: production +status: deprecated data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -description: The following analytic identifies the execution of RemCom.exe, an open-source alternative to PsExec, used for lateral movement and remote command execution. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, original file names, and command-line arguments. This activity is significant as it indicates potential lateral movement within the network. If confirmed malicious, this could allow an attacker to execute commands remotely, potentially leading to further compromise and control over additional systems within the network. +description: NOTE - This search is deprecated in favor of `Windows Service Execution RemCom` as the latter is a more accurate name for the detection. The following analytic identifies the execution of RemCom.exe, an open-source alternative to PsExec, used for lateral movement and remote command execution. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, original file names, and command-line arguments. This activity is significant as it indicates potential lateral movement within the network. If confirmed malicious, this could allow an attacker to execute commands remotely, potentially leading to further compromise and control over additional systems within the network. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=remcom.exe OR Processes.original_file_name=RemCom.exe) Processes.process="*\\*" Processes.process IN ("*/user:*", "*/pwd:*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_lateral_tool_transfer_remcom_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: False positives may be present based on Administrative use. Filter as needed. diff --git a/detections/endpoint/active_setup_registry_autostart.yml b/detections/endpoint/active_setup_registry_autostart.yml index 534a1f30a8..e662e1a5ac 100644 --- a/detections/endpoint/active_setup_registry_autostart.yml +++ b/detections/endpoint/active_setup_registry_autostart.yml @@ -1,7 +1,7 @@ name: Active Setup Registry Autostart id: f64579c0-203f-11ec-abcc-acde48001122 -version: 7 -date: '2024-11-14' +version: 8 +date: '2024-12-08' author: Steven Dick, Teoderick Contreras, Splunk status: production type: TTP @@ -17,7 +17,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `security_content_ctime(lastTime)`| `active_setup_registry_autostart_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: Active setup installer may add or modify this registry. references: diff --git a/detections/endpoint/add_defaultuser_and_password_in_registry.yml b/detections/endpoint/add_defaultuser_and_password_in_registry.yml index 30b9e3336e..22d3994a11 100644 --- a/detections/endpoint/add_defaultuser_and_password_in_registry.yml +++ b/detections/endpoint/add_defaultuser_and_password_in_registry.yml @@ -1,7 +1,7 @@ name: Add DefaultUser And Password In Registry id: d4a3eb62-0f1e-11ec-a971-acde48001122 -version: 7 -date: '2024-11-14' +version: 8 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: Anomaly @@ -18,7 +18,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `add_defaultuser_and_password_in_registry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: unknown references: diff --git a/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml b/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml index 8f02b20d8f..7539cd6939 100644 --- a/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml +++ b/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml @@ -1,7 +1,7 @@ name: Allow Inbound Traffic By Firewall Rule Registry id: 0a46537c-be02-11eb-92ca-acde48001122 -version: 8 -date: '2024-11-14' +version: 9 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP @@ -18,7 +18,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_inbound_traffic_by_firewall_rule_registry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: network admin may add/remove/modify public inbound firewall rule that may cause this rule to be triggered. diff --git a/detections/endpoint/allow_operation_with_consent_admin.yml b/detections/endpoint/allow_operation_with_consent_admin.yml index b6ffd745f6..02bbdada71 100644 --- a/detections/endpoint/allow_operation_with_consent_admin.yml +++ b/detections/endpoint/allow_operation_with_consent_admin.yml @@ -1,7 +1,7 @@ name: Allow Operation with Consent Admin id: 7de17d7a-c9d8-11eb-a812-acde48001122 -version: 7 -date: '2024-11-14' +version: 8 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP @@ -18,7 +18,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `security_content_ctime(lastTime)` | `allow_operation_with_consent_admin_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: unknown references: diff --git a/detections/endpoint/auto_admin_logon_registry_entry.yml b/detections/endpoint/auto_admin_logon_registry_entry.yml index 33a6b01cd1..8757ee7543 100644 --- a/detections/endpoint/auto_admin_logon_registry_entry.yml +++ b/detections/endpoint/auto_admin_logon_registry_entry.yml @@ -1,7 +1,7 @@ name: Auto Admin Logon Registry Entry id: 1379d2b8-0f18-11ec-8ca3-acde48001122 -version: 7 -date: '2024-11-14' +version: 8 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP @@ -18,7 +18,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `auto_admin_logon_registry_entry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: unknown references: diff --git a/detections/endpoint/common_ransomware_extensions.yml b/detections/endpoint/common_ransomware_extensions.yml index d8c9971977..ebd15cc818 100644 --- a/detections/endpoint/common_ransomware_extensions.yml +++ b/detections/endpoint/common_ransomware_extensions.yml @@ -1,18 +1,32 @@ name: Common Ransomware Extensions id: a9e5c5db-db11-43ca-86a8-c852d1b2c0ec -version: 7 -date: '2024-10-17' +version: 8 +date: '2024-12-12' author: David Dorsey, Michael Haag, Splunk, Steven Dick status: production -type: Hunting +type: TTP description: The following analytic detects modifications to files with extensions commonly associated with ransomware. It leverages the Endpoint.Filesystem data model to identify changes in file extensions that match known ransomware patterns. This activity is significant because it suggests an attacker is attempting to encrypt or alter files, potentially leading to severe data loss and operational disruption. If confirmed malicious, this activity could result in the encryption of critical data, rendering it inaccessible and causing significant damage to the organization's data integrity and availability. data_source: - Sysmon EventID 11 -search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime count latest(Filesystem.user) as user values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name Filesystem.dest _time span=1h | `drop_dm_object_name(Filesystem)` | rex field=file_name "(?\.[^\.]+)$" | rex field=file_path "(?([^\\\]*\\\)*).*" | stats min(firstTime) as firstTime max(lastTime) as lastTime latest(user) as user dc(true_file_path) as path_count dc(file_name) as file_count latest(file_name) as file_name latest(true_file_path) as file_path by dest file_extension | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `ransomware_extensions` | where path_count > 1 OR file_count > 20 | `common_ransomware_extensions_filter`' +search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime count latest(Filesystem.user) as user values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name Filesystem.dest _time span=1h +| `drop_dm_object_name(Filesystem)` +| rex field=file_name "(?\.[^\.]+)$" +| rex field=file_path "(?([^\\\]*\\\)*).*" +| stats min(firstTime) as firstTime max(lastTime) as lastTime latest(user) as user dc(true_file_path) as path_count dc(file_name) as file_count latest(true_file_path) as file_path by dest file_name +| `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `ransomware_extensions` | where path_count > 1 OR file_count > 20 | `common_ransomware_extensions_filter`' how_to_implement: 'You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint Filesystem data model node. To see the additional metadata, add the following fields, if not already present, please review the detailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`' known_false_positives: It is possible for a legitimate file with these extensions to be created. If this is a true ransomware attack, there will be a large number of files created with these extensions. references: - https://github.com/splunk/security_content/issues/2448 +drilldown_searches: +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$","$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ tags: analytic_story: - SamSam Ransomware @@ -25,7 +39,7 @@ tags: asset_type: Endpoint confidence: 100 impact: 90 - message: The device $dest$ wrote $file_count$ files to $path_count$ path(s) with the $file_extension$ extension. This extension and behavior may indicate a $Name$ ransomware attack. + message: The device $dest$ wrote $file_count$ files to $path_count$ path(s) with the $Extensions$ extension. This extension and behavior may indicate a $Name$ ransomware attack. mitre_attack_id: - T1485 observable: diff --git a/detections/endpoint/create_or_delete_windows_shares_using_net_exe.yml b/detections/endpoint/create_or_delete_windows_shares_using_net_exe.yml index 7f37a0fc6b..b7c2d5d2de 100644 --- a/detections/endpoint/create_or_delete_windows_shares_using_net_exe.yml +++ b/detections/endpoint/create_or_delete_windows_shares_using_net_exe.yml @@ -1,7 +1,7 @@ name: Create or delete windows shares using net exe id: 743a322c-9a68-4a0f-9c17-85d9cce2a27c -version: 9 -date: '2024-09-30' +version: 10 +date: '2024-12-12' author: Bhavin Patel, Splunk status: production type: TTP @@ -10,7 +10,7 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count values(Processes.user) as user values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` by Processes.process Processes.process_name Processes.parent_process_name Processes.original_file_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | search process=*share* | `create_or_delete_windows_shares_using_net_exe_filter`' +search: '| tstats `security_content_summariesonly` count values(Processes.user) as user values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` by Processes.process Processes.process_name Processes.parent_process_name Processes.original_file_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | search process IN ("*share* /delete*", "*share* /REMARK:*", "*share* /CACHE:*") | `create_or_delete_windows_shares_using_net_exe_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: Administrators often leverage net.exe to create or delete network shares. You should verify that the activity was intentional and is legitimate. references: diff --git a/detections/endpoint/creation_of_shadow_copy_with_wmic_and_powershell.yml b/detections/endpoint/creation_of_shadow_copy_with_wmic_and_powershell.yml index 7297c39883..92e1cc6817 100644 --- a/detections/endpoint/creation_of_shadow_copy_with_wmic_and_powershell.yml +++ b/detections/endpoint/creation_of_shadow_copy_with_wmic_and_powershell.yml @@ -1,7 +1,7 @@ name: Creation of Shadow Copy with wmic and powershell id: 2ed8b538-d284-449a-be1d-82ad1dbd186b -version: '6' -date: '2024-11-28' +version: 7 +date: '2024-12-08' author: Patrick Bareiss, Splunk status: production type: TTP @@ -9,7 +9,7 @@ description: The following analytic detects the creation of shadow copies using or "Powershell" commands. It leverages the Endpoint.Processes data model in Splunk to identify processes where the command includes "shadowcopy" and "create". This activity is significant because it may indicate an attacker attempting to manipulate - or access data unauthorizedly, potentially leading to data theft or manipulation. + or access data in an unauthorized manner, potentially leading to data theft or manipulation. If confirmed malicious, this behavior could allow attackers to backup and exfiltrate sensitive data or hide their tracks by restoring files to a previous state after an attack. @@ -32,7 +32,7 @@ how_to_implement: The detection is based on data that originates from Endpoint D the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Legtimate administrator usage of wmic to create a shadow copy. +known_false_positives: Legitimate administrator usage of wmic to create a shadow copy. references: - https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf - https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF diff --git a/detections/endpoint/detect_new_local_admin_account.yml b/detections/endpoint/detect_new_local_admin_account.yml index 4aa7e2f628..d15216ca68 100644 --- a/detections/endpoint/detect_new_local_admin_account.yml +++ b/detections/endpoint/detect_new_local_admin_account.yml @@ -1,7 +1,7 @@ name: Detect New Local Admin account id: b25f6f62-0712-43c1-b203-083231ffd97d -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-12-12' author: David Dorsey, Splunk status: production type: TTP @@ -9,7 +9,13 @@ description: The following analytic detects the creation of new accounts elevate data_source: - Windows Event Log Security 4732 - Windows Event Log Security 4720 -search: '`wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators) | transaction src_user connected=false maxspan=180m | rename src_user as user | stats count min(_time) as firstTime max(_time) as lastTime by user dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_new_local_admin_account_filter`' +search: '`wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators) +| transaction user dest connected=false maxspan=180m +| stats count min(_time) as firstTime max(_time) as lastTime dc(EventCode) as distinct_eventcodes by src_user user dest +| where distinct_eventcodes>1 +| `security_content_ctime(firstTime)` +| `security_content_ctime(lastTime)` +| `detect_new_local_admin_account_filter`' how_to_implement: You must be ingesting Windows event logs using the Splunk Windows TA and collecting event code 4720 and 4732 known_false_positives: The activity may be legitimate. For this reason, it's best to verify the account with an administrator and ask whether there was a valid service request for the account creation. If your local administrator group name is not "Administrators", this search may generate an excessive number of false positives references: [] diff --git a/detections/endpoint/disable_amsi_through_registry.yml b/detections/endpoint/disable_amsi_through_registry.yml index 2b50f14777..2eadb8ac05 100644 --- a/detections/endpoint/disable_amsi_through_registry.yml +++ b/detections/endpoint/disable_amsi_through_registry.yml @@ -1,7 +1,7 @@ name: Disable AMSI Through Registry id: 9c27ec42-d338-11eb-9044-acde48001122 -version: 7 -date: '2024-11-14' +version: 8 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP @@ -18,7 +18,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `disable_amsi_through_registry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: network operator may disable this feature of windows but not so common. diff --git a/detections/endpoint/disable_defender_antivirus_registry.yml b/detections/endpoint/disable_defender_antivirus_registry.yml index bfafad4a51..1fd8cf44b1 100644 --- a/detections/endpoint/disable_defender_antivirus_registry.yml +++ b/detections/endpoint/disable_defender_antivirus_registry.yml @@ -1,7 +1,7 @@ name: Disable Defender AntiVirus Registry id: aa4f695a-3024-11ec-9987-acde48001122 -version: 7 -date: '2024-11-14' +version: 8 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP @@ -18,7 +18,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `security_content_ctime(lastTime)` | `disable_defender_antivirus_registry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: admin or user may choose to disable windows defender product references: diff --git a/detections/endpoint/disable_defender_blockatfirstseen_feature.yml b/detections/endpoint/disable_defender_blockatfirstseen_feature.yml index 55f060c3b2..009a68ec32 100644 --- a/detections/endpoint/disable_defender_blockatfirstseen_feature.yml +++ b/detections/endpoint/disable_defender_blockatfirstseen_feature.yml @@ -1,7 +1,7 @@ name: Disable Defender BlockAtFirstSeen Feature id: 2dd719ac-3021-11ec-97b4-acde48001122 -version: 7 -date: '2024-11-14' +version: 8 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP @@ -25,7 +25,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `disable_defender_blockatfirstseen_feature_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: admin or user may choose to disable windows defender product references: diff --git a/detections/endpoint/disable_defender_mpengine_registry.yml b/detections/endpoint/disable_defender_mpengine_registry.yml index f151e8eb45..2aeabde665 100644 --- a/detections/endpoint/disable_defender_mpengine_registry.yml +++ b/detections/endpoint/disable_defender_mpengine_registry.yml @@ -1,7 +1,7 @@ name: Disable Defender MpEngine Registry id: cc391750-3024-11ec-955a-acde48001122 -version: 7 -date: '2024-10-04' +version: 8 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP @@ -18,7 +18,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `security_content_ctime(lastTime)` | `disable_defender_mpengine_registry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: admin or user may choose to disable windows defender product references: diff --git a/detections/endpoint/disable_defender_spynet_reporting.yml b/detections/endpoint/disable_defender_spynet_reporting.yml index 16ab615933..6db3238af3 100644 --- a/detections/endpoint/disable_defender_spynet_reporting.yml +++ b/detections/endpoint/disable_defender_spynet_reporting.yml @@ -1,7 +1,7 @@ name: Disable Defender Spynet Reporting id: 898debf4-3021-11ec-ba7c-acde48001122 -version: 7 -date: '2024-11-14' +version: 8 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP @@ -18,7 +18,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `disable_defender_spynet_reporting_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: admin or user may choose to disable windows defender product references: diff --git a/detections/endpoint/disable_defender_submit_samples_consent_feature.yml b/detections/endpoint/disable_defender_submit_samples_consent_feature.yml index 9beb36e080..cbbb8995f0 100644 --- a/detections/endpoint/disable_defender_submit_samples_consent_feature.yml +++ b/detections/endpoint/disable_defender_submit_samples_consent_feature.yml @@ -1,7 +1,7 @@ name: Disable Defender Submit Samples Consent Feature id: 73922ff8-3022-11ec-bf5e-acde48001122 -version: 7 -date: '2024-11-14' +version: 8 +date: '2024-12-08' author: Teoderick Contreras, Splunk,Steven Dick status: production type: TTP @@ -18,7 +18,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `disable_defender_submit_samples_consent_feature_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: admin or user may choose to disable windows defender product references: diff --git a/detections/endpoint/disable_etw_through_registry.yml b/detections/endpoint/disable_etw_through_registry.yml index 99173b1969..c70369f185 100644 --- a/detections/endpoint/disable_etw_through_registry.yml +++ b/detections/endpoint/disable_etw_through_registry.yml @@ -1,7 +1,7 @@ name: Disable ETW Through Registry id: f0eacfa4-d33f-11eb-8f9d-acde48001122 -version: 7 -date: '2024-11-14' +version: 8 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP @@ -17,7 +17,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_etw_through_registry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: network operator may disable this feature of windows but not so common. diff --git a/detections/endpoint/disable_registry_tool.yml b/detections/endpoint/disable_registry_tool.yml index ce44015574..2c48111345 100644 --- a/detections/endpoint/disable_registry_tool.yml +++ b/detections/endpoint/disable_registry_tool.yml @@ -1,7 +1,7 @@ name: Disable Registry Tool id: cd2cf33c-9201-11eb-a10a-acde48001122 -version: 8 -date: '2024-11-14' +version: 9 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP @@ -17,7 +17,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_registry_tool_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: admin may disable this application for non technical user. references: diff --git a/detections/endpoint/disable_security_logs_using_minint_registry.yml b/detections/endpoint/disable_security_logs_using_minint_registry.yml index 044bea08b0..4ec7d4929a 100644 --- a/detections/endpoint/disable_security_logs_using_minint_registry.yml +++ b/detections/endpoint/disable_security_logs_using_minint_registry.yml @@ -1,7 +1,7 @@ name: Disable Security Logs Using MiniNt Registry id: 39ebdc68-25b9-11ec-aec7-acde48001122 -version: 7 -date: '2024-11-14' +version: 8 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP @@ -17,7 +17,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `disable_security_logs_using_minint_registry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: Unknown. references: diff --git a/detections/endpoint/disable_show_hidden_files.yml b/detections/endpoint/disable_show_hidden_files.yml index 8bc8ebad53..2851b44e6f 100644 --- a/detections/endpoint/disable_show_hidden_files.yml +++ b/detections/endpoint/disable_show_hidden_files.yml @@ -1,7 +1,7 @@ name: Disable Show Hidden Files id: 6f3ccfa2-91fe-11eb-8f9b-acde48001122 -version: 8 -date: '2024-11-14' +version: 9 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: Anomaly @@ -19,7 +19,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_show_hidden_files_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: unknown references: diff --git a/detections/endpoint/disable_uac_remote_restriction.yml b/detections/endpoint/disable_uac_remote_restriction.yml index 422ca22fbb..d63a070a78 100644 --- a/detections/endpoint/disable_uac_remote_restriction.yml +++ b/detections/endpoint/disable_uac_remote_restriction.yml @@ -1,7 +1,7 @@ name: Disable UAC Remote Restriction id: 9928b732-210e-11ec-b65e-acde48001122 -version: 7 -date: '2024-11-14' +version: 8 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP @@ -17,7 +17,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_uac_remote_restriction_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: admin may set this policy for non-critical machine. references: diff --git a/detections/endpoint/disable_windows_app_hotkeys.yml b/detections/endpoint/disable_windows_app_hotkeys.yml index a05cc054a0..45b8734a95 100644 --- a/detections/endpoint/disable_windows_app_hotkeys.yml +++ b/detections/endpoint/disable_windows_app_hotkeys.yml @@ -1,7 +1,7 @@ name: Disable Windows App Hotkeys id: 1490f224-ad8b-11eb-8c4f-acde48001122 -version: 7 -date: '2024-11-14' +version: 8 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP @@ -18,7 +18,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_windows_app_hotkeys_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: unknown references: diff --git a/detections/endpoint/disable_windows_behavior_monitoring.yml b/detections/endpoint/disable_windows_behavior_monitoring.yml index 607f8ee214..929da38fce 100644 --- a/detections/endpoint/disable_windows_behavior_monitoring.yml +++ b/detections/endpoint/disable_windows_behavior_monitoring.yml @@ -1,7 +1,7 @@ name: Disable Windows Behavior Monitoring id: 79439cae-9200-11eb-a4d3-acde48001122 -version: 9 -date: '2024-11-14' +version: 10 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP @@ -25,7 +25,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `disable_windows_behavior_monitoring_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: admin or user may choose to disable this windows features. references: diff --git a/detections/endpoint/disable_windows_smartscreen_protection.yml b/detections/endpoint/disable_windows_smartscreen_protection.yml index 3a04cd3396..c7dd7878bd 100644 --- a/detections/endpoint/disable_windows_smartscreen_protection.yml +++ b/detections/endpoint/disable_windows_smartscreen_protection.yml @@ -1,7 +1,7 @@ name: Disable Windows SmartScreen Protection id: 664f0fd0-91ff-11eb-a56f-acde48001122 -version: 8 -date: '2024-11-14' +version: 9 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP @@ -18,7 +18,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `security_content_ctime(lastTime)` | `disable_windows_smartscreen_protection_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: admin or user may choose to disable this windows features. references: diff --git a/detections/endpoint/disabling_cmd_application.yml b/detections/endpoint/disabling_cmd_application.yml index 2f0dbb0419..ad1e666ab3 100644 --- a/detections/endpoint/disabling_cmd_application.yml +++ b/detections/endpoint/disabling_cmd_application.yml @@ -1,7 +1,7 @@ name: Disabling CMD Application id: ff86077c-9212-11eb-a1e6-acde48001122 -version: 8 -date: '2024-11-14' +version: 9 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP @@ -17,7 +17,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_cmd_application_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: admin may disable this application for non technical user. references: diff --git a/detections/endpoint/disabling_controlpanel.yml b/detections/endpoint/disabling_controlpanel.yml index 6237d4c19f..1ddfdff0c1 100644 --- a/detections/endpoint/disabling_controlpanel.yml +++ b/detections/endpoint/disabling_controlpanel.yml @@ -1,7 +1,7 @@ name: Disabling ControlPanel id: 6ae0148e-9215-11eb-a94a-acde48001122 -version: 8 -date: '2024-11-14' +version: 9 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP @@ -17,7 +17,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_controlpanel_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: admin may disable this application for non technical user. references: diff --git a/detections/endpoint/disabling_defender_services.yml b/detections/endpoint/disabling_defender_services.yml index 856315d604..1c3a4ec1d8 100644 --- a/detections/endpoint/disabling_defender_services.yml +++ b/detections/endpoint/disabling_defender_services.yml @@ -1,7 +1,7 @@ name: Disabling Defender Services id: 911eacdc-317f-11ec-ad30-acde48001122 -version: 7 -date: '2024-11-14' +version: 8 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP @@ -19,7 +19,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_defender_services_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: admin or user may choose to disable windows defender product references: diff --git a/detections/endpoint/disabling_folderoptions_windows_feature.yml b/detections/endpoint/disabling_folderoptions_windows_feature.yml index 0f76cee569..60199b1e52 100644 --- a/detections/endpoint/disabling_folderoptions_windows_feature.yml +++ b/detections/endpoint/disabling_folderoptions_windows_feature.yml @@ -1,7 +1,7 @@ name: Disabling FolderOptions Windows Feature id: 83776de4-921a-11eb-868a-acde48001122 -version: 8 -date: '2024-11-14' +version: 9 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP @@ -17,7 +17,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_folderoptions_windows_feature_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: admin may disable this application for non technical user. references: diff --git a/detections/endpoint/disabling_norun_windows_app.yml b/detections/endpoint/disabling_norun_windows_app.yml index fa9ae7b774..25af90e4ec 100644 --- a/detections/endpoint/disabling_norun_windows_app.yml +++ b/detections/endpoint/disabling_norun_windows_app.yml @@ -1,7 +1,7 @@ name: Disabling NoRun Windows App id: de81bc46-9213-11eb-adc9-acde48001122 -version: 8 -date: '2024-11-14' +version: 9 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP @@ -17,7 +17,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_norun_windows_app_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: admin may disable this application for non technical user. references: diff --git a/detections/endpoint/disabling_remote_user_account_control.yml b/detections/endpoint/disabling_remote_user_account_control.yml index eebf924779..a00bc68678 100644 --- a/detections/endpoint/disabling_remote_user_account_control.yml +++ b/detections/endpoint/disabling_remote_user_account_control.yml @@ -1,7 +1,7 @@ name: Disabling Remote User Account Control id: bbc644bc-37df-4e1a-9c88-ec9a53e2038c -version: 6 -date: '2024-09-30' +version: 7 +date: '2024-12-03' author: David Dorsey, Patrick Bareiss, Splunk status: production type: TTP @@ -9,7 +9,7 @@ description: The following analytic identifies modifications to the registry key data_source: - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path=*HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA* Registry.registry_value_data="0x00000000" by Registry.dest, Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action | `drop_dm_object_name(Registry)` | `disabling_remote_user_account_control_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path=*\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA* Registry.registry_value_data="0x00000000" by Registry.dest, Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action | `drop_dm_object_name(Registry)` | `disabling_remote_user_account_control_filter`' how_to_implement: To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report registry modifications. known_false_positives: This registry key may be modified via administrators to implement a change in system policy. This type of change should be a very rare occurrence. references: [] diff --git a/detections/endpoint/disabling_systemrestore_in_registry.yml b/detections/endpoint/disabling_systemrestore_in_registry.yml index 233bd12167..a13052f1e7 100644 --- a/detections/endpoint/disabling_systemrestore_in_registry.yml +++ b/detections/endpoint/disabling_systemrestore_in_registry.yml @@ -1,7 +1,7 @@ name: Disabling SystemRestore In Registry id: f4f837e2-91fb-11eb-8bf6-acde48001122 -version: 8 -date: '2024-11-14' +version: 9 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP @@ -20,7 +20,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_systemrestore_in_registry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: in some cases admin can disable systemrestore on a machine. references: diff --git a/detections/endpoint/disabling_task_manager.yml b/detections/endpoint/disabling_task_manager.yml index b2b0870715..abddcde476 100644 --- a/detections/endpoint/disabling_task_manager.yml +++ b/detections/endpoint/disabling_task_manager.yml @@ -1,7 +1,7 @@ name: Disabling Task Manager id: dac279bc-9202-11eb-b7fb-acde48001122 -version: 8 -date: '2024-11-14' +version: 9 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP @@ -17,7 +17,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_task_manager_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: admin may disable this application for non technical user. references: diff --git a/detections/endpoint/domain_group_discovery_with_net.yml b/detections/endpoint/domain_group_discovery_with_net.yml index 6e13c074ca..f4dba5c26b 100644 --- a/detections/endpoint/domain_group_discovery_with_net.yml +++ b/detections/endpoint/domain_group_discovery_with_net.yml @@ -1,7 +1,7 @@ name: Domain Group Discovery With Net id: f2f14ac7-fa81-471a-80d5-7eb65c3c7349 -version: 4 -date: '2024-11-26' +version: 5 +date: '2024-12-11' author: Mauricio Velazco, Splunk status: production type: Hunting @@ -22,6 +22,7 @@ tags: - Prestige Ransomware - Graceful Wipe Out Attack - Rhysida Ransomware + - Cleo File Transfer Software asset_type: Endpoint confidence: 50 impact: 30 diff --git a/detections/endpoint/enable_rdp_in_other_port_number.yml b/detections/endpoint/enable_rdp_in_other_port_number.yml index 516b432328..f807d52480 100644 --- a/detections/endpoint/enable_rdp_in_other_port_number.yml +++ b/detections/endpoint/enable_rdp_in_other_port_number.yml @@ -1,7 +1,7 @@ name: Enable RDP In Other Port Number id: 99495452-b899-11eb-96dc-acde48001122 -version: 7 -date: '2024-11-14' +version: 8 +date: '2024-12-03' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP @@ -10,14 +10,14 @@ data_source: - Sysmon EventID 12 - Sysmon EventID 13 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE (Registry.registry_path="*HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal + WHERE (Registry.registry_path="*\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp*" Registry.registry_value_name = "PortNumber") BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `enable_rdp_in_other_port_number_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: unknown references: diff --git a/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml b/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml index 1dc8fb11b0..fe65e1ac2d 100644 --- a/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml +++ b/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml @@ -1,7 +1,7 @@ name: Enable WDigest UseLogonCredential Registry id: 0c7d8ffe-25b1-11ec-9f39-acde48001122 -version: 7 -date: '2024-11-14' +version: 8 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP @@ -18,7 +18,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `security_content_ctime(lastTime)` | `enable_wdigest_uselogoncredential_registry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: unknown references: diff --git a/detections/endpoint/etw_registry_disabled.yml b/detections/endpoint/etw_registry_disabled.yml index 634d70a037..a00720eabd 100644 --- a/detections/endpoint/etw_registry_disabled.yml +++ b/detections/endpoint/etw_registry_disabled.yml @@ -1,13 +1,12 @@ name: ETW Registry Disabled id: 8ed523ac-276b-11ec-ac39-acde48001122 -version: 7 -date: '2024-11-14' +version: 8 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP -description: The following analytic detects a registry modification that disables the Event Tracing for Windows (ETW) feature. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the ETWEnabled registry value under the .NETFramework path. This activity is significant because disabling ETW can allow attackers to evade Endpoint Detection and Response (EDR) tools and hide their execution from audit logs. If confirmed malicious, this action could enable attackers to operate undetected, potentially leading to further compromise and persistent access within the environment. +description: The following analytic detects a registry modification that disables the ETW for the .NET Framework. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the ETWEnabled registry value under the .NETFramework path. This activity is significant because disabling ETW can allow attackers to evade Endpoint Detection and Response (EDR) tools and hide their execution from audit logs. If confirmed malicious, this action could enable attackers to operate undetected, potentially leading to further compromise and persistent access within the environment. data_source: -- Sysmon EventID 12 - Sysmon EventID 13 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\SOFTWARE\\Microsoft\\.NETFramework*" Registry.registry_value_name @@ -18,11 +17,12 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `etw_registry_disabled_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: unknown references: - https://gist.github.com/Cyb3rWard0g/a4a115fd3ab518a0e593525a379adee3 +- https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/ drilldown_searches: - name: View the detection results for - "$dest$" and "$user$" search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' diff --git a/detections/endpoint/excessive_usage_of_cacls_app.yml b/detections/endpoint/excessive_usage_of_cacls_app.yml index 36bdf29052..ce84c19be8 100644 --- a/detections/endpoint/excessive_usage_of_cacls_app.yml +++ b/detections/endpoint/excessive_usage_of_cacls_app.yml @@ -57,6 +57,7 @@ tags: - Prestige Ransomware - XMRig - Crypto Stealer + - Defense Evasion or Unauthorized Access Via SDDL Tampering asset_type: Endpoint confidence: 100 impact: 80 diff --git a/detections/endpoint/hide_user_account_from_sign_in_screen.yml b/detections/endpoint/hide_user_account_from_sign_in_screen.yml index 446a70d1fe..0d785e5bc1 100644 --- a/detections/endpoint/hide_user_account_from_sign_in_screen.yml +++ b/detections/endpoint/hide_user_account_from_sign_in_screen.yml @@ -1,7 +1,7 @@ name: Hide User Account From Sign-In Screen id: 834ba832-ad89-11eb-937d-acde48001122 -version: 7 -date: '2024-11-14' +version: 8 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP @@ -18,7 +18,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `hide_user_account_from_sign_in_screen_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: Unknown. Filter as needed. references: diff --git a/detections/endpoint/icacls_deny_command.yml b/detections/endpoint/icacls_deny_command.yml index d0dc9adb73..570b9483e4 100644 --- a/detections/endpoint/icacls_deny_command.yml +++ b/detections/endpoint/icacls_deny_command.yml @@ -57,6 +57,7 @@ tags: - Compromised Windows Host - XMRig - Crypto Stealer + - Defense Evasion or Unauthorized Access Via SDDL Tampering asset_type: Endpoint confidence: 80 impact: 90 diff --git a/detections/endpoint/icacls_grant_command.yml b/detections/endpoint/icacls_grant_command.yml index 8e18f883b8..feb8c1410e 100644 --- a/detections/endpoint/icacls_grant_command.yml +++ b/detections/endpoint/icacls_grant_command.yml @@ -54,6 +54,7 @@ tags: - Ransomware - Crypto Stealer - XMRig + - Defense Evasion or Unauthorized Access Via SDDL Tampering asset_type: Endpoint confidence: 50 impact: 50 diff --git a/detections/endpoint/lolbas_with_network_traffic.yml b/detections/endpoint/lolbas_with_network_traffic.yml index 945c47dd7f..392d16e309 100644 --- a/detections/endpoint/lolbas_with_network_traffic.yml +++ b/detections/endpoint/lolbas_with_network_traffic.yml @@ -1,16 +1,16 @@ name: LOLBAS With Network Traffic id: 2820f032-19eb-497e-8642-25b04a880359 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-12-07' author: Steven Dick status: production type: TTP description: The following analytic identifies the use of Living Off the Land Binaries and Scripts (LOLBAS) with network traffic. It leverages data from the Network Traffic data model to detect when native Windows binaries, often abused by adversaries, initiate network connections. This activity is significant as LOLBAS are frequently used to download malicious payloads, enabling lateral movement, command-and-control, or data exfiltration. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a severe threat to organizational security. data_source: - Sysmon EventID 3 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic.All_Traffic where (All_Traffic.app IN ("*Regsvcs.exe", "*\\Ftp.exe", "*OfflineScannerShell.exe", "*Rasautou.exe", "*Schtasks.exe", "*Xwizard.exe", "*Pnputil.exe", "*Atbroker.exe", "*Pcwrun.exe", "*Ttdinject.exe", "*Mshta.exe", "*Bitsadmin.exe", "*Certoc.exe", "*Ieexec.exe", "*Microsoft.Workflow.Compiler.exe", "*Runscripthelper.exe", "*Forfiles.exe", "*Msbuild.exe", "*Register-cimprovider.exe", "*Tttracer.exe", "*Ie4uinit.exe", "*Bash.exe", "*Hh.exe", "*SettingSyncHost.exe", "*Cmstp.exe", "*Stordiag.exe", "*Scriptrunner.exe", "*Odbcconf.exe", "*Extexport.exe", "*Msdt.exe", "*WorkFolders.exe", "*Diskshadow.exe", "*Mavinject.exe", "*Regasm.exe", "*Gpscript.exe", "*Regsvr32.exe", "*Msiexec.exe", "*Wuauclt.exe", "*Presentationhost.exe", "*Wmic.exe", "*Runonce.exe", "*Syncappvpublishingserver.exe", "*Verclsid.exe", "*Infdefaultinstall.exe", "*Installutil.exe", "*Netsh.exe", "*Wab.exe", "*Dnscmd.exe", "*\\At.exe", "*Pcalua.exe", "*Msconfig.exe", "*makecab.exe", "*cscript.exe", "*notepad.exe", "*\\cmd.exe", "*certutil.exe", "*\\powershell.exe", "*powershell_ise.exe")) by All_Traffic.app,All_Traffic.src,All_Traffic.src_ip,All_Traffic.user,All_Traffic.dest,All_Traffic.dest_ip | `drop_dm_object_name(All_Traffic)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rex field=app ".*\\\(?.*)$" | rename app as process | `lolbas_with_network_traffic_filter`' -how_to_implement: To successfully implement this detection you must ingest events into the Network traffic data model that contain the source, destination, and communicating process in the app feild. Relevant processes must also be ingested in the Endpoint data model with matching process_id feild. Sysmon EID1 and EID3 are good examples of this type this data type. -known_false_positives: Legitmate usage of internal automation or scripting, espically powershell.exe internal to internal or logon scripts. It may be necessary to omit internal IP ranges if extremely noisy. ie NOT dest_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16","170.98.0.0/16","0:0:0:0:0:0:0:1") +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic.All_Traffic where (All_Traffic.app IN ("*Regsvcs.exe", "*\\Ftp.exe", "*OfflineScannerShell.exe", "*Rasautou.exe", "*Schtasks.exe", "*Xwizard.exe", "*Pnputil.exe", "*Atbroker.exe", "*Pcwrun.exe", "*Ttdinject.exe", "*Mshta.exe", "*Bitsadmin.exe", "*Certoc.exe", "*Ieexec.exe", "*Microsoft.Workflow.Compiler.exe", "*Runscripthelper.exe", "*Forfiles.exe", "*Msbuild.exe", "*Register-cimprovider.exe", "*Tttracer.exe", "*Ie4uinit.exe", "*Bash.exe", "*Hh.exe", "*SettingSyncHost.exe", "*Cmstp.exe", "*Stordiag.exe", "*Scriptrunner.exe", "*Odbcconf.exe", "*Extexport.exe", "*Msdt.exe", "*WorkFolders.exe", "*Diskshadow.exe", "*Mavinject.exe", "*Regasm.exe", "*Gpscript.exe", "*Regsvr32.exe", "*Msiexec.exe", "*Wuauclt.exe", "*Presentationhost.exe", "*Wmic.exe", "*Runonce.exe", "*Syncappvpublishingserver.exe", "*Verclsid.exe", "*Infdefaultinstall.exe", "*Installutil.exe", "*Netsh.exe", "*Wab.exe", "*Dnscmd.exe", "*\\At.exe", "*Pcalua.exe", "*Msconfig.exe", "*makecab.exe", "*cscript.exe", "*notepad.exe", "*\\cmd.exe", "*certutil.exe", "*\\powershell.exe", "*powershell_ise.exe", "*\\pwsh.exe")) by All_Traffic.app,All_Traffic.src,All_Traffic.src_ip,All_Traffic.user,All_Traffic.dest,All_Traffic.dest_ip | `drop_dm_object_name(All_Traffic)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rex field=app ".*\\\(?.*)$" | rename app as process | `lolbas_with_network_traffic_filter`' +how_to_implement: To successfully implement this detection you must ingest events into the Network traffic data model that contain the source, destination, and communicating process in the app field. Relevant processes must also be ingested in the Endpoint data model with matching process_id field. Sysmon EID1 and EID3 are good examples of this type this data type. +known_false_positives: Legitimate usage of internal automation or scripting, especially powershell.exe or pwsh.exe, internal to internal or logon scripts. It may be necessary to omit internal IP ranges if extremely noisy. ie NOT dest_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16","170.98.0.0/16","0:0:0:0:0:0:0:1") references: - https://lolbas-project.github.io/# - https://www.sans.org/presentations/lolbin-detection-methods-seven-common-attacks-revealed/ diff --git a/detections/endpoint/modify_acl_permission_to_files_or_folder.yml b/detections/endpoint/modify_acl_permission_to_files_or_folder.yml index 46322d94ca..75c106eb38 100644 --- a/detections/endpoint/modify_acl_permission_to_files_or_folder.yml +++ b/detections/endpoint/modify_acl_permission_to_files_or_folder.yml @@ -55,6 +55,7 @@ tags: analytic_story: - Crypto Stealer - XMRig + - Defense Evasion or Unauthorized Access Via SDDL Tampering asset_type: Endpoint confidence: 80 impact: 40 diff --git a/detections/endpoint/monitor_registry_keys_for_print_monitors.yml b/detections/endpoint/monitor_registry_keys_for_print_monitors.yml index f88eacec48..4af4ccebb7 100644 --- a/detections/endpoint/monitor_registry_keys_for_print_monitors.yml +++ b/detections/endpoint/monitor_registry_keys_for_print_monitors.yml @@ -1,7 +1,7 @@ name: Monitor Registry Keys for Print Monitors id: f5f6af30-7ba7-4295-bfe9-07de87c01bbc -version: 8 -date: '2024-11-14' +version: 9 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick, Bhavin Patel status: production type: TTP @@ -17,7 +17,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `monitor_registry_keys_for_print_monitors_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: You will encounter noise from legitimate print-monitor registry entries. diff --git a/detections/endpoint/nishang_powershelltcponeline.yml b/detections/endpoint/nishang_powershelltcponeline.yml index f0af8c38bf..419a824738 100644 --- a/detections/endpoint/nishang_powershelltcponeline.yml +++ b/detections/endpoint/nishang_powershelltcponeline.yml @@ -1,7 +1,7 @@ name: Nishang PowershellTCPOneLine id: 1a382c6c-7c2e-11eb-ac69-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-12-11' author: Michael Haag, Splunk status: production type: TTP @@ -30,6 +30,7 @@ drilldown_searches: tags: analytic_story: - HAFNIUM Group + - Cleo File Transfer Software asset_type: Endpoint confidence: 60 impact: 70 diff --git a/detections/endpoint/nltest_domain_trust_discovery.yml b/detections/endpoint/nltest_domain_trust_discovery.yml index fce99e05b2..4082dd1384 100644 --- a/detections/endpoint/nltest_domain_trust_discovery.yml +++ b/detections/endpoint/nltest_domain_trust_discovery.yml @@ -1,7 +1,7 @@ name: NLTest Domain Trust Discovery id: c3e05466-5f22-11eb-ae93-0242ac130002 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-12-11' author: Michael Haag, Splunk status: production type: TTP @@ -38,6 +38,7 @@ tags: - Active Directory Discovery - Qakbot - Rhysida Ransomware + - Cleo File Transfer Software asset_type: Endpoint confidence: 50 impact: 30 diff --git a/detections/endpoint/powershell_4104_hunting.yml b/detections/endpoint/powershell_4104_hunting.yml index 716d82a119..2d721ea6d0 100644 --- a/detections/endpoint/powershell_4104_hunting.yml +++ b/detections/endpoint/powershell_4104_hunting.yml @@ -1,7 +1,7 @@ name: PowerShell 4104 Hunting id: d6f2b006-0041-11ec-8885-acde48001122 -version: 7 -date: '2024-10-17' +version: 8 +date: '2024-12-11' author: Michael Haag, Splunk status: production type: Hunting @@ -33,6 +33,7 @@ tags: - CISA AA24-241A - Braodo Stealer - Lumma Stealer + - Cleo File Transfer Software asset_type: Endpoint confidence: 100 impact: 80 diff --git a/detections/endpoint/registry_keys_for_creating_shim_databases.yml b/detections/endpoint/registry_keys_for_creating_shim_databases.yml index cfc8bf66dc..a4c021dc8f 100644 --- a/detections/endpoint/registry_keys_for_creating_shim_databases.yml +++ b/detections/endpoint/registry_keys_for_creating_shim_databases.yml @@ -1,7 +1,7 @@ name: Registry Keys for Creating SHIM Databases id: f5f6af30-7aa7-4295-bfe9-07fe87c01bbb -version: 9 -date: '2024-11-14' +version: 10 +date: '2024-12-08' author: Patrick Bareiss, Teoderick Contreras, Splunk, Steven Dick, Bhavin Patel status: production type: TTP @@ -17,7 +17,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `security_content_ctime(lastTime)` | `registry_keys_for_creating_shim_databases_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: There are many legitimate applications that leverage shim databases for compatibility purposes for legacy applications diff --git a/detections/endpoint/registry_keys_used_for_persistence.yml b/detections/endpoint/registry_keys_used_for_persistence.yml index 7d91a58b07..2fa9ec64b9 100644 --- a/detections/endpoint/registry_keys_used_for_persistence.yml +++ b/detections/endpoint/registry_keys_used_for_persistence.yml @@ -1,7 +1,7 @@ name: Registry Keys Used For Persistence id: f5f6af30-7aa7-4295-bfe9-07fe87c01a4b -version: 11 -date: '2024-09-30' +version: 12 +date: '2024-12-03' author: Jose Hernandez, David Dorsey, Teoderick Contreras, Rod Soto, Splunk status: production type: TTP @@ -9,7 +9,7 @@ description: The following analytic identifies modifications to registry keys co data_source: - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path=*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce OR Registry.registry_path=*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run OR Registry.registry_path= "*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\*" OR Registry.registry_path= "*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\*" OR Registry.registry_path=*\\currentversion\\run* OR Registry.registry_path=*\\currentVersion\\Windows\\Appinit_Dlls* OR Registry.registry_path=*\\CurrentVersion\\Winlogon\\Shell* OR Registry.registry_path=*\\CurrentVersion\\Winlogon\\Notify* OR Registry.registry_path=*\\CurrentVersion\\Winlogon\\Userinit* OR Registry.registry_path=*\\CurrentVersion\\Winlogon\\VmApplet* OR Registry.registry_path=*\\currentversion\\policies\\explorer\\run* OR Registry.registry_path=*\\currentversion\\runservices* OR Registry.registry_path=HKLM\\SOFTWARE\\Microsoft\\Netsh\\* OR Registry.registry_path= "*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Common Startup" OR Registry.registry_path= *\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SharedTaskScheduler OR Registry.registry_path= *\\Classes\\htmlfile\\shell\\open\\command OR (Registry.registry_path="*Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options*" AND Registry.registry_key_name=Debugger) OR (Registry.registry_path="*\\CurrentControlSet\\Control\\Lsa" AND Registry.registry_key_name="Security Packages") OR (Registry.registry_path="*\\CurrentControlSet\\Control\\Lsa\\OSConfig" AND Registry.registry_key_name="Security Packages") OR (Registry.registry_path="*\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*") OR (Registry.registry_path="*currentVersion\\Windows" AND Registry.registry_key_name="Load") OR (Registry.registry_path="*\\CurrentVersion" AND Registry.registry_key_name="Svchost") OR (Registry.registry_path="*\\CurrentControlSet\Control\Session Manager"AND Registry.registry_key_name="BootExecute") OR (Registry.registry_path="*\\Software\\Run" AND Registry.registry_key_name="auto_update")) by Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `registry_keys_used_for_persistence_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path=*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce OR Registry.registry_path=*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run OR Registry.registry_path= "*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\*" OR Registry.registry_path= "*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\*" OR Registry.registry_path=*\\currentversion\\run* OR Registry.registry_path=*\\currentVersion\\Windows\\Appinit_Dlls* OR Registry.registry_path=*\\CurrentVersion\\Winlogon\\Shell* OR Registry.registry_path=*\\CurrentVersion\\Winlogon\\Notify* OR Registry.registry_path=*\\CurrentVersion\\Winlogon\\Userinit* OR Registry.registry_path=*\\CurrentVersion\\Winlogon\\VmApplet* OR Registry.registry_path=*\\currentversion\\policies\\explorer\\run* OR Registry.registry_path=*\\currentversion\\runservices* OR Registry.registry_path=*\\SOFTWARE\\Microsoft\\Netsh\\* OR Registry.registry_path= "*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Common Startup" OR Registry.registry_path= *\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SharedTaskScheduler OR Registry.registry_path= *\\Classes\\htmlfile\\shell\\open\\command OR (Registry.registry_path="*Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options*" AND Registry.registry_key_name=Debugger) OR (Registry.registry_path="*\\CurrentControlSet\\Control\\Lsa" AND Registry.registry_key_name="Security Packages") OR (Registry.registry_path="*\\CurrentControlSet\\Control\\Lsa\\OSConfig" AND Registry.registry_key_name="Security Packages") OR (Registry.registry_path="*\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*") OR (Registry.registry_path="*currentVersion\\Windows" AND Registry.registry_key_name="Load") OR (Registry.registry_path="*\\CurrentVersion" AND Registry.registry_key_name="Svchost") OR (Registry.registry_path="*\\CurrentControlSet\Control\Session Manager"AND Registry.registry_key_name="BootExecute") OR (Registry.registry_path="*\\Software\\Run" AND Registry.registry_key_name="auto_update")) by Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.registry_key_name | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `registry_keys_used_for_persistence_filter`' how_to_implement: To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. known_false_positives: There are many legitimate applications that must execute on system startup and will use these registry keys to accomplish that task. references: [] diff --git a/detections/endpoint/registry_keys_used_for_privilege_escalation.yml b/detections/endpoint/registry_keys_used_for_privilege_escalation.yml index d6f9e746bf..a07d06e623 100644 --- a/detections/endpoint/registry_keys_used_for_privilege_escalation.yml +++ b/detections/endpoint/registry_keys_used_for_privilege_escalation.yml @@ -1,7 +1,7 @@ name: Registry Keys Used For Privilege Escalation id: c9f4b923-f8af-4155-b697-1354f5bcbc5e -version: 10 -date: '2024-11-14' +version: 11 +date: '2024-12-08' author: David Dorsey, Teoderick Contreras, Splunk, Steven Dick status: production type: TTP @@ -18,7 +18,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `security_content_ctime(lastTime)` | `registry_keys_used_for_privilege_escalation_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: There are many legitimate applications that must execute upon system startup and will use these registry keys to accomplish that task. diff --git a/detections/endpoint/system_information_discovery_detection.yml b/detections/endpoint/system_information_discovery_detection.yml index 6cf3344a8c..113eb03ccb 100644 --- a/detections/endpoint/system_information_discovery_detection.yml +++ b/detections/endpoint/system_information_discovery_detection.yml @@ -1,7 +1,7 @@ name: System Information Discovery Detection id: 8e99f89e-ae58-4ebc-bf52-ae0b1a277e72 -version: 5 -date: '2024-09-30' +version: 6 +date: '2024-12-11' author: Patrick Bareiss, Splunk status: production type: TTP @@ -29,6 +29,7 @@ tags: - Windows Discovery Techniques - Gozi Malware - BlackSuit Ransomware + - Cleo File Transfer Software asset_type: Windows confidence: 50 impact: 30 diff --git a/detections/endpoint/time_provider_persistence_registry.yml b/detections/endpoint/time_provider_persistence_registry.yml index 69d6461b29..8d712ffb64 100644 --- a/detections/endpoint/time_provider_persistence_registry.yml +++ b/detections/endpoint/time_provider_persistence_registry.yml @@ -1,7 +1,7 @@ name: Time Provider Persistence Registry id: 5ba382c4-2105-11ec-8d8f-acde48001122 -version: 7 -date: '2024-11-14' +version: 8 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP @@ -17,7 +17,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `time_provider_persistence_registry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: unknown references: diff --git a/detections/endpoint/unusually_long_command_line___mltk.yml b/detections/endpoint/unusually_long_command_line___mltk.yml index 42ad5a5b3f..852993c7f4 100644 --- a/detections/endpoint/unusually_long_command_line___mltk.yml +++ b/detections/endpoint/unusually_long_command_line___mltk.yml @@ -1,7 +1,7 @@ name: Unusually Long Command Line - MLTK id: 57edaefa-a73b-45e5-bbae-f39c1473f941 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-12-16' author: Rico Valdez, Splunk status: experimental type: Anomaly @@ -11,7 +11,7 @@ data_source: - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.user Processes.dest Processes.process_name Processes.process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| eval processlen=len(process) | search user!=unknown | apply cmdline_pdfmodel threshold=0.01 | rename "IsOutlier(processlen)" as isOutlier | search isOutlier > 0 | table firstTime lastTime user dest process_name process processlen count | `unusually_long_command_line___mltk_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. In addition, the Machine Learning Toolkit (MLTK) version 4.2 or greater must be installed on your search heads, along with any required dependencies. Finally, the support search "ESCU - Baseline of Command Line Length - MLTK" must be executed before this detection search, because it builds a machine-learning (ML) model over the historical data used by this search. It is important that this search is run in the same app context as the associated support search, so that the model created by the support search is available for use. You should periodically re-run the support search to rebuild the model with the latest data available in your environment. known_false_positives: Some legitimate applications use long command lines for installs or updates. You should review identified command lines for legitimacy. You may modify the first part of the search to omit legitimate command lines from consideration. If you are seeing more results than desired, you may consider changing the value of threshold in the search to a smaller value. You should also periodically re-run the support search to re-build the ML model on the latest data. You may get unexpected results if the user identified in the results is not present in the data used to build the associated model. references: [] tags: diff --git a/detections/endpoint/windows_certutil_download_with_url_argument.yml b/detections/endpoint/windows_certutil_download_with_url_argument.yml new file mode 100644 index 0000000000..7ae9749bec --- /dev/null +++ b/detections/endpoint/windows_certutil_download_with_url_argument.yml @@ -0,0 +1,85 @@ +name: Windows CertUtil Download With URL Argument +id: 4fc5ca00-4c7c-46b3-8772-c98a4b8bd944 +version: 1 +date: '2024-12-08' +author: Nasreddine Bencherchali, Splunk +status: production +type: TTP +description: The following analytic detects the use of `certutil.exe` to download files using the `-URL` arguments. This behavior is identified by monitoring command-line executions for these specific arguments via Endpoint Detection and Response (EDR) telemetry. This activity is significant because `certutil.exe` is a legitimate tool often abused by attackers to download and execute malicious payloads. If confirmed malicious, this could allow an attacker to download and execute arbitrary files, potentially leading to code execution, data exfiltration, or further compromise of the system. +data_source: +- Sysmon EventID 1 +- Windows Event Log Security 4688 +- CrowdStrike ProcessRollup2 +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` (Processes.process="*-URL *" OR Processes.process="*/URL *") by Processes.dest Processes.user Processes.original_file_name Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_certutil_download_with_url_argument_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: Limited false positives in most environments, however tune as needed based on parent-child relationship or network connection. +references: +- https://attack.mitre.org/techniques/T1105/ +- https://www.hexacorn.com/blog/2020/08/23/certutil-one-more-gui-lolbin/ +drilldown_searches: +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - Living Off The Land + - Ingress Tool Transfer + asset_type: Endpoint + confidence: 100 + impact: 90 + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting to download a file. + mitre_attack_id: + - T1105 + observable: + - name: user + type: User + role: + - Victim + - name: dest + type: Hostname + role: + - Victim + - name: parent_process_name + type: Process + role: + - Attacker + - name: process_name + type: Process + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - Processes.dest + - Processes.user + - Processes.parent_process_name + - Processes.parent_process + - Processes.original_file_name + - Processes.process_name + - Processes.process + - Processes.process_id + - Processes.parent_process_path + - Processes.process_path + - Processes.parent_process_id + risk_score: 90 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_defender_exclusion_registry_entry.yml b/detections/endpoint/windows_defender_exclusion_registry_entry.yml index b3da3d6a8e..421be8ea5e 100644 --- a/detections/endpoint/windows_defender_exclusion_registry_entry.yml +++ b/detections/endpoint/windows_defender_exclusion_registry_entry.yml @@ -1,7 +1,7 @@ name: Windows Defender Exclusion Registry Entry id: 13395a44-4dd9-11ec-9df7-acde48001122 -version: 7 -date: '2024-11-14' +version: 8 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP @@ -17,7 +17,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `security_content_ctime(lastTime)` | `windows_defender_exclusion_registry_entry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: admin or user may choose to use this windows features. references: diff --git a/detections/endpoint/windows_disable_change_password_through_registry.yml b/detections/endpoint/windows_disable_change_password_through_registry.yml index cef11e2561..06a7feee8c 100644 --- a/detections/endpoint/windows_disable_change_password_through_registry.yml +++ b/detections/endpoint/windows_disable_change_password_through_registry.yml @@ -1,7 +1,7 @@ name: Windows Disable Change Password Through Registry id: 0df33e1a-9ef6-11ec-a1ad-acde48001122 -version: 6 -date: '2024-11-14' +version: 7 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: Anomaly @@ -17,7 +17,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_change_password_through_registry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: This windows feature may implemented by administrator to prevent normal user to change the password of a critical host or server, In this type of diff --git a/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml b/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml index d67110ba37..2d6ee0fbc3 100644 --- a/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml +++ b/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml @@ -1,7 +1,7 @@ name: Windows Disable Lock Workstation Feature Through Registry id: c82adbc6-9f00-11ec-a81f-acde48001122 -version: 6 -date: '2024-11-14' +version: 7 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: Anomaly @@ -17,7 +17,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_lock_workstation_feature_through_registry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: unknown references: diff --git a/detections/endpoint/windows_disable_logoff_button_through_registry.yml b/detections/endpoint/windows_disable_logoff_button_through_registry.yml index f4548b9bd6..6cf2b86d0b 100644 --- a/detections/endpoint/windows_disable_logoff_button_through_registry.yml +++ b/detections/endpoint/windows_disable_logoff_button_through_registry.yml @@ -1,7 +1,7 @@ name: Windows Disable LogOff Button Through Registry id: b2fb6830-9ed1-11ec-9fcb-acde48001122 -version: 6 -date: '2024-11-14' +version: 7 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: Anomaly @@ -18,7 +18,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_logoff_button_through_registry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: This windows feature may implement by administrator in some server where shutdown is critical. In that scenario filter of machine and users diff --git a/detections/endpoint/windows_disable_notification_center.yml b/detections/endpoint/windows_disable_notification_center.yml index 6553bb5456..8e833b67e7 100644 --- a/detections/endpoint/windows_disable_notification_center.yml +++ b/detections/endpoint/windows_disable_notification_center.yml @@ -1,7 +1,7 @@ name: Windows Disable Notification Center id: 1cd983c8-8fd6-11ec-a09d-acde48001122 -version: 6 -date: '2024-11-14' +version: 7 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: Anomaly @@ -17,7 +17,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_notification_center_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: admin or user may choose to disable this windows features. references: diff --git a/detections/endpoint/windows_disable_shutdown_button_through_registry.yml b/detections/endpoint/windows_disable_shutdown_button_through_registry.yml index 92afa88d17..630dd7b8bf 100644 --- a/detections/endpoint/windows_disable_shutdown_button_through_registry.yml +++ b/detections/endpoint/windows_disable_shutdown_button_through_registry.yml @@ -1,7 +1,7 @@ name: Windows Disable Shutdown Button Through Registry id: 55fb2958-9ecd-11ec-a06a-acde48001122 -version: 6 -date: '2024-11-14' +version: 7 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: Anomaly @@ -18,7 +18,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_shutdown_button_through_registry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: This windows feature may implement by administrator in some server where shutdown is critical. In that scenario filter of machine and users diff --git a/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml b/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml index be4a054e3e..a819f3483f 100644 --- a/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml +++ b/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml @@ -1,7 +1,7 @@ name: Windows Disable Windows Group Policy Features Through Registry id: 63a449ae-9f04-11ec-945e-acde48001122 -version: 6 -date: '2024-09-30' +version: 7 +date: '2024-12-08' author: Steven Dick, Teoderick Contreras, Splunk status: production type: Anomaly @@ -10,7 +10,7 @@ data_source: - Sysmon EventID 12 - Sysmon EventID 13 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\*" OR Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\*" Registry.registry_value_name IN ("NoDesktop", "NoFind", "NoControlPanel", "NoFileMenu", "NoSetTaskbar", "NoTrayContextMenu", "TaskbarLockAll", "NoThemesTab","NoPropertiesMyDocuments","NoVisualStyleChoice","NoColorChoice","NoPropertiesMyDocuments") Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_windows_group_policy_features_through_registry_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 +how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: Disabling these features for legitimate purposes is not a common use case but can still be implemented by the administrators. Filter as needed. references: - https://hybrid-analysis.com/sample/ef1c427394c205580576d18ba68d5911089c7da0386f19d1ca126929d3e671ab?environmentId=120&lang=en diff --git a/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml b/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml index 58b87f0109..dccf14431e 100644 --- a/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml +++ b/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml @@ -1,7 +1,7 @@ name: Windows Files and Dirs Access Rights Modification Via Icacls id: c76b796c-27e1-4520-91c4-4a58695c749e -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-12-06' author: Teoderick Contreras, Splunk status: production type: TTP @@ -27,6 +27,7 @@ drilldown_searches: tags: analytic_story: - Amadey + - Defense Evasion or Unauthorized Access Via SDDL Tampering asset_type: Endpoint atomic_guid: - 3309f53e-b22b-4eb6-8fd2-a6cf58b355a9 diff --git a/detections/endpoint/windows_hide_notification_features_through_registry.yml b/detections/endpoint/windows_hide_notification_features_through_registry.yml index aae8aacdbe..ee7774536f 100644 --- a/detections/endpoint/windows_hide_notification_features_through_registry.yml +++ b/detections/endpoint/windows_hide_notification_features_through_registry.yml @@ -1,7 +1,7 @@ name: Windows Hide Notification Features Through Registry id: cafa4bce-9f06-11ec-a7b2-acde48001122 -version: 6 -date: '2024-11-14' +version: 7 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: Anomaly @@ -19,7 +19,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `windows_hide_notification_features_through_registry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: unknown references: diff --git a/detections/endpoint/windows_impair_defenses_disable_auto_logger_session.yml b/detections/endpoint/windows_impair_defenses_disable_auto_logger_session.yml new file mode 100644 index 0000000000..b907454d9f --- /dev/null +++ b/detections/endpoint/windows_impair_defenses_disable_auto_logger_session.yml @@ -0,0 +1,65 @@ +name: Windows Impair Defenses Disable Auto Logger Session +id: dc6a5613-d024-47e7-9997-ab6477a483d3 +version: 1 +date: '2024-12-06' +author: Nasreddine Bencherchali, Splunk +status: production +type: Anomaly +description: The following analytic detects the disabling of an AutoLogger session or one of its providers, by identifying changes to the Registry values "Start" and "Enabled" part of the "\WMI\Autologger\" key path. It leverages data from the Endpoint.Registry datamodel to monitor specific registry paths and values. This activity is significant as attackers and adversaries can leverage this in order to evade defense and blind EDRs and log ingest tooling. If confirmed malicious, this action could allow an attacker to conceal their activities, making it harder to detect further malicious actions and maintain persistence on the compromised endpoint. +data_source: +- Sysmon EventID 13 +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\WMI\\Autologger\\*" (Registry.registry_value_name="Start" OR Registry.registry_value_name="Enabled") Registry.registry_value_data ="0x00000000" by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.dest Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defenses_disable_auto_logger_session_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. +known_false_positives: It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. +references: +- https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/ +- https://app.any.run/tasks/45f5d114-91ea-486c-ab01-41c4093d2861/ +- https://isc.sans.edu/diary/rss/28628 +- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ +- https://learn.microsoft.com/en-us/windows/win32/etw/configuring-and-starting-an-autologger-session +drilldown_searches: +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - Windows Defense Evasion Tactics + - Windows Registry Abuse + asset_type: Endpoint + confidence: 90 + impact: 90 + message: Windows Auto Logger Session or Provider registry value set to 'disabled' on $dest$. + mitre_attack_id: + - T1562.001 + - T1562 + observable: + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - Registry.registry_key_name + - Registry.registry_value_name + - Registry.dest + - Registry.user + - Registry.registry_path + - Registry.action + risk_score: 81 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable_defender_logging/sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog + update_timestamp: true diff --git a/detections/endpoint/windows_impair_defenses_disable_win_defender_auto_logging.yml b/detections/endpoint/windows_impair_defenses_disable_win_defender_auto_logging.yml index 3b2738b061..a13b77afc6 100644 --- a/detections/endpoint/windows_impair_defenses_disable_win_defender_auto_logging.yml +++ b/detections/endpoint/windows_impair_defenses_disable_win_defender_auto_logging.yml @@ -1,13 +1,12 @@ name: Windows Impair Defenses Disable Win Defender Auto Logging id: 76406a0f-f5e0-4167-8e1f-337fdc0f1b0c -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-12-09' author: Teoderick Contreras, Splunk status: production type: Anomaly description: The following analytic detects the disabling of Windows Defender logging by identifying changes to the Registry keys DefenderApiLogger or DefenderAuditLogger set to disable. It leverages data from the Endpoint.Registry datamodel to monitor specific registry paths and values. This activity is significant as it is commonly associated with Remote Access Trojan (RAT) malware attempting to evade detection. If confirmed malicious, this action could allow an attacker to conceal their activities, making it harder to detect further malicious actions and maintain persistence on the compromised endpoint. data_source: -- Sysmon EventID 12 - Sysmon EventID 13 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where (Registry.registry_path = "*WMI\\Autologger\\DefenderApiLogger\\Start" OR Registry.registry_path = "*WMI\\Autologger\\DefenderAuditLogger\\Start") Registry.registry_value_data ="0x00000000" by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.dest Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defenses_disable_win_defender_auto_logging_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. @@ -15,6 +14,8 @@ known_false_positives: It is unusual to turn this feature off a Windows system s references: - https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/ - https://app.any.run/tasks/45f5d114-91ea-486c-ab01-41c4093d2861/ +- https://isc.sans.edu/diary/rss/28628 +- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ drilldown_searches: - name: View the detection results for - "$dest$" search: '%original_detection_search% | search dest = "$dest$"' diff --git a/detections/endpoint/windows_java_spawning_shells.yml b/detections/endpoint/windows_java_spawning_shells.yml index 542814745e..bcee4e1dab 100644 --- a/detections/endpoint/windows_java_spawning_shells.yml +++ b/detections/endpoint/windows_java_spawning_shells.yml @@ -1,7 +1,7 @@ name: Windows Java Spawning Shells id: 28c81306-5c47-11ec-bfea-acde48001122 -version: 5 -date: '2024-10-17' +version: 6 +date: '2024-12-11' author: Michael Haag, Splunk status: experimental type: TTP @@ -24,6 +24,7 @@ tags: analytic_story: - Log4Shell CVE-2021-44228 - SysAid On-Prem Software CVE-2023-47246 Vulnerability + - Cleo File Transfer Software asset_type: Endpoint confidence: 50 cve: diff --git a/detections/endpoint/windows_modify_registry_delete_firewall_rules.yml b/detections/endpoint/windows_modify_registry_delete_firewall_rules.yml index 4e6cf4097a..fe58a5674c 100644 --- a/detections/endpoint/windows_modify_registry_delete_firewall_rules.yml +++ b/detections/endpoint/windows_modify_registry_delete_firewall_rules.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry Delete Firewall Rules id: 41c61539-98ca-4750-b3ec-7c29a2f06343 -version: 2 -date: '2024-09-30' +version: 3 +date: '2024-12-08' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 12 @@ -9,7 +9,7 @@ type: TTP status: production description: The following analytic detects a potential deletion of firewall rules, indicating a possible security breach or unauthorized access attempt. It identifies actions where firewall rules are removed using commands like netsh advfirewall firewall delete rule, which can expose the network to external threats by disabling critical security measures. Monitoring these activities helps maintain network integrity and prevent malicious attacks. search: '`sysmon` EventCode=12 TargetObject = "*\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\*" EventType=DeleteValue | rename Computer as dest | rename User as user | stats count min(_time) as firstTime max(_time) as lastTime by EventCode EventType TargetObject Image user dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_delete_firewall_rules_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 +how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: network admin may add/remove/modify public inbound firewall rule that may cause this rule to be triggered. references: - https://www.bleepingcomputer.com/news/security/new-shrinklocker-ransomware-uses-bitlocker-to-encrypt-your-files/ diff --git a/detections/endpoint/windows_modify_registry_to_add_or_modify_firewall_rule.yml b/detections/endpoint/windows_modify_registry_to_add_or_modify_firewall_rule.yml index d4aa798e53..7f4fd660c7 100644 --- a/detections/endpoint/windows_modify_registry_to_add_or_modify_firewall_rule.yml +++ b/detections/endpoint/windows_modify_registry_to_add_or_modify_firewall_rule.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry to Add or Modify Firewall Rule id: 43254751-e2ce-409a-b6b4-4f851e8dcc26 -version: 3 -date: '2024-11-14' +version: 4 +date: '2024-12-08' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 12 @@ -23,7 +23,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `windows_modify_registry_to_add_or_modify_firewall_rule_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: network admin may add/remove/modify public inbound firewall rule that may cause this rule to be triggered. diff --git a/detections/endpoint/windows_modify_registry_valleyrat_pwn_reg_entry.yml b/detections/endpoint/windows_modify_registry_valleyrat_pwn_reg_entry.yml index f6c41c2dc2..aa14321c67 100644 --- a/detections/endpoint/windows_modify_registry_valleyrat_pwn_reg_entry.yml +++ b/detections/endpoint/windows_modify_registry_valleyrat_pwn_reg_entry.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry ValleyRat PWN Reg Entry id: 6947c44e-be1f-4dd9-b198-bc42be5be196 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-12-08' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 13 @@ -9,7 +9,7 @@ type: TTP status: production description: The following analytic detects modifications to the Windows Registry specifically targeting `.pwn` file associations related to the ValleyRAT malware. ValleyRAT may create or alter registry entries to associate `.pwn` files with malicious processes, allowing it to execute harmful scripts or commands when these files are opened. By monitoring for unusual changes in registry keys linked to `.pwn` extensions, this detection enables security analysts to identify potential ValleyRAT infection attempts. Early detection of these modifications helps mitigate unauthorized execution and prevents further exploitation of the system. search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*.pwn\\Shell\\Open\\command" OR Registry.registry_value_data = ".pwn") BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_valleyrat_pwn_reg_entry_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 +how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: unknown references: - https://www.proofpoint.com/us/blog/threat-insight/chinese-malware-appears-earnest-across-cybercrime-threat-landscape diff --git a/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml b/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml index efb694a8b2..34d383fede 100644 --- a/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml +++ b/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml @@ -1,7 +1,7 @@ name: Windows Modify Show Compress Color And Info Tip Registry id: b7548c2e-9a10-11ec-99e3-acde48001122 -version: 6 -date: '2024-11-14' +version: 7 +date: '2024-12-08' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP @@ -18,7 +18,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `windows_modify_show_compress_color_and_info_tip_registry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: unknown references: diff --git a/detections/endpoint/windows_new_custom_security_descriptor_set_on_eventlog_channel.yml b/detections/endpoint/windows_new_custom_security_descriptor_set_on_eventlog_channel.yml new file mode 100644 index 0000000000..2b3f2f7255 --- /dev/null +++ b/detections/endpoint/windows_new_custom_security_descriptor_set_on_eventlog_channel.yml @@ -0,0 +1,64 @@ +name: Windows New Custom Security Descriptor Set On EventLog Channel +id: c0e5dd5a-2117-41d5-a04c-82a762a86a38 +version: 1 +date: '2024-12-06' +author: Nasreddine Bencherchali, Michael Haag, Splunk +status: production +type: Anomaly +description: The following analytic detects suspicious modifications to the EventLog security descriptor registry value for defense evasion. It leverages data from the Endpoint.Registry data model, focusing on changes to the "CustomSD" value within the "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\\CustomSD" path. This activity is significant as changes to the access permissions of the event log could blind security products and help attackers evade defenses. If confirmed malicious, this could allow attackers to block users and security products from viewing, ingesting and interacting event logs. +data_source: +- Sysmon EventID 13 +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE Registry.registry_path= "*\\Services\\Eventlog\\*" AND Registry.registry_value_name=CustomSD BY Registry.dest Registry.registry_value_data Registry.action Registry.process_guid Registry.process_id Registry.registry_key_name Registry.user Registry.registry_value_name | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_new_custom_security_descriptor_set_on_eventlog_channel_filter`' +how_to_implement: To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 +known_false_positives: None identified, setting up the "CustomSD" value is considered a legacy option and shouldn't be a common activity. +references: +- https://learn.microsoft.com/en-us/troubleshoot/windows-server/group-policy/set-event-log-security-locally-or-via-group-policy +- https://attack.mitre.org/techniques/T1562/002/ +drilldown_searches: +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - LockBit Ransomware + - Defense Evasion or Unauthorized Access Via SDDL Tampering + asset_type: Endpoint + confidence: 80 + impact: 80 + message: modified/added/deleted registry entry $registry_path$ in $dest$ + mitre_attack_id: + - T1562.002 + observable: + - name: dest + type: Hostname + role: + - Victim + - name: user + type: User + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - Registry.dest + - Registry.registry_value_name + - Registry.registry_key_name + - Registry.registry_path + - Registry.registry_value_data + - Registry.process_guid + risk_score: 64 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.002/eventlog_sddl_tampering/eventlog_sddl_tampering_sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_new_deny_permission_set_on_service_sd_via_sc_exe.yml b/detections/endpoint/windows_new_deny_permission_set_on_service_sd_via_sc_exe.yml new file mode 100644 index 0000000000..0ca516e5f4 --- /dev/null +++ b/detections/endpoint/windows_new_deny_permission_set_on_service_sd_via_sc_exe.yml @@ -0,0 +1,75 @@ +name: Windows New Deny Permission Set On Service SD Via Sc.EXE +id: d0f6a5e5-dbfd-46e1-8bd5-2e2905947c33 +version: 1 +date: '2024-12-05' +author: Nasreddine Bencherchali, Michael Haag, Splunk +status: production +type: Anomaly +description: The following analytic detects changes in a service security descriptor where a new deny ace has been added. It leverages data from Endpoint Detection and Response (EDR) agents, specifically searching for any process execution involving the "sc.exe" binary with the "sdset" flag targeting any service and adding a dedicated deny ace. If confirmed malicious, this could allow an attacker to escalate their privileges, blind defenses and more. +data_source: +- Sysmon EventID 1 +- Windows Event Log Security 4688 +- CrowdStrike ProcessRollup2 +search: '| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=sc.exe OR Processes.original_file_name=sc.exe) Processes.process="*sdset *" Processes.process="*(D;*" Processes.process IN ("*;IU*", "*;S-1-5-4*", "*;SU*", "*;S-1-5-6*", "*;BA*", "*;S-1-5-32-544*", "*;SY*", "*;S-1-5-18*", "*;WD*", "*;S-1-1-0*", "*;AU*", "*;S-1-5-11*", "*;LS*", "*;S-1-5-19*") by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_new_deny_permission_set_on_service_sd_via_sc_exe_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process name, and process original file name. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: None identified. Attempts to add deny aces to services, especially security-related services should be immediately investigated. +references: +- https://www.sans.org/blog/red-team-tactics-hiding-windows-services/ +- https://news.sophos.com/wp-content/uploads/2020/06/glupteba_final-1.pdf +- https://attack.mitre.org/techniques/T1564/ +drilldown_searches: +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - Defense Evasion or Unauthorized Access Via SDDL Tampering + asset_type: Endpoint + confidence: 50 + impact: 60 + message: An instance of $parent_process_name$ spawning $process_name$ was identified attempting to disable security services on endpoint $dest$ by user $user$. + mitre_attack_id: + - T1564 + observable: + - name: user + type: User + role: + - Victim + - name: dest + type: Hostname + role: + - Victim + - name: process_name + type: Process + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - Processes.dest + - Processes.user + - Processes.parent_process_name + - Processes.parent_process + - Processes.original_file_name + - Processes.process_name + - Processes.process + - Processes.process_id + - Processes.parent_process_path + - Processes.process_path + - Processes.parent_process_id + risk_score: 30 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1564/sc_sdset_tampering/sc_sdset_tampering_sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_new_eventlog_channelaccess_registry_value_set.yml b/detections/endpoint/windows_new_eventlog_channelaccess_registry_value_set.yml new file mode 100644 index 0000000000..5d5e6a454a --- /dev/null +++ b/detections/endpoint/windows_new_eventlog_channelaccess_registry_value_set.yml @@ -0,0 +1,64 @@ +name: Windows New EventLog ChannelAccess Registry Value Set +id: 16eb11bc-ef42-42e8-9d0c-d21e0fa15725 +version: 1 +date: '2024-12-06' +author: Nasreddine Bencherchali, Michael Haag, Splunk +status: production +type: Anomaly +description: The following analytic detects suspicious modifications to the EventLog security descriptor registry value for defense evasion. It leverages data from the Endpoint.Registry data model, focusing on changes to the "CustomSD" value within the "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\\CustomSD" path. This activity is significant as changes to the access permissions of the event log could blind security products and help attackers evade defenses. If confirmed malicious, this could allow attackers to block users and security products from viewing, ingesting and interacting event logs. +data_source: +- Sysmon EventID 13 +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE Registry.registry_path IN ("*\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\*", "*\Microsoft\Windows\EventLog\*") AND Registry.registry_value_name=ChannelAccess BY Registry.dest Registry.registry_value_data Registry.action Registry.process_guid Registry.process_id Registry.registry_key_name Registry.user Registry.registry_value_name | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_new_eventlog_channelaccess_registry_value_set_filter`' +how_to_implement: To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 +known_false_positives: False positives may be triggered from newly installed event providers or windows updates, new "ChannelAccess" values must be investigated. +references: +- https://web.archive.org/web/20220710181255/https://blog.minerva-labs.com/lockbit-3.0-aka-lockbit-black-is-here-with-a-new-icon-new-ransom-note-new-wallpaper-but-less-evasiveness +- https://attack.mitre.org/techniques/T1562/002/ +drilldown_searches: +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - LockBit Ransomware + - Defense Evasion or Unauthorized Access Via SDDL Tampering + asset_type: Endpoint + confidence: 50 + impact: 60 + message: modified/added/deleted registry entry $registry_path$ in $dest$ + mitre_attack_id: + - T1562.002 + observable: + - name: dest + type: Hostname + role: + - Victim + - name: user + type: User + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - Registry.dest + - Registry.registry_value_name + - Registry.registry_key_name + - Registry.registry_path + - Registry.registry_value_data + - Registry.process_guid + risk_score: 30 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.002/eventlog_sddl_tampering/eventlog_sddl_tampering_sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_new_service_security_descriptor_set_via_sc_exe.yml b/detections/endpoint/windows_new_service_security_descriptor_set_via_sc_exe.yml new file mode 100644 index 0000000000..4b03015de1 --- /dev/null +++ b/detections/endpoint/windows_new_service_security_descriptor_set_via_sc_exe.yml @@ -0,0 +1,75 @@ +name: Windows New Service Security Descriptor Set Via Sc.EXE +id: cde00c31-042a-4307-bf70-25e471da56e9 +version: 1 +date: '2024-12-05' +author: Nasreddine Bencherchali, Michael Haag, Splunk +status: production +type: Anomaly +description: The following analytic detects changes in a service security descriptor where a new deny ace has been added. It leverages data from Endpoint Detection and Response (EDR) agents, specifically searching for any process execution involving the "sc.exe" binary with the "sdset" flag targeting any service and adding a dedicated deny ace. If confirmed malicious, this could allow an attacker to escalate their privileges, blind defenses and more. +data_source: +- Sysmon EventID 1 +- Windows Event Log Security 4688 +- CrowdStrike ProcessRollup2 +search: '| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=sc.exe OR Processes.original_file_name=sc.exe) Processes.process="*sdset *" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_new_service_security_descriptor_set_via_sc_exe_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process name, and process original file name. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: None identified. Attempts to disable security-related services should be identified and understood. +references: +- https://www.sans.org/blog/red-team-tactics-hiding-windows-services/ +- https://news.sophos.com/wp-content/uploads/2020/06/glupteba_final-1.pdf +- https://attack.mitre.org/techniques/T1564/ +drilldown_searches: +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - Defense Evasion or Unauthorized Access Via SDDL Tampering + asset_type: Endpoint + confidence: 60 + impact: 60 + message: An instance of $parent_process_name$ spawning $process_name$ was identified attempting to disable security services on endpoint $dest$ by user $user$. + mitre_attack_id: + - T1564 + observable: + - name: user + type: User + role: + - Victim + - name: dest + type: Hostname + role: + - Victim + - name: process_name + type: Process + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - Processes.dest + - Processes.user + - Processes.parent_process_name + - Processes.parent_process + - Processes.original_file_name + - Processes.process_name + - Processes.process + - Processes.process_id + - Processes.parent_process_path + - Processes.process_path + - Processes.parent_process_id + risk_score: 36 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1564/sc_sdset_tampering/sc_sdset_tampering_sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_proxy_via_registry.yml b/detections/endpoint/windows_proxy_via_registry.yml index b55bf70c4a..b9967aceae 100644 --- a/detections/endpoint/windows_proxy_via_registry.yml +++ b/detections/endpoint/windows_proxy_via_registry.yml @@ -1,7 +1,7 @@ name: Windows Proxy Via Registry id: 0270455b-1385-4579-9ac5-e77046c508ae -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-12-08' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -10,7 +10,7 @@ data_source: - Sysmon EventID 13 description: The following analytic detects the modification of registry keys related to the Windows Proxy settings via netsh.exe. It leverages data from the Endpoint.Registry data model, focusing on changes to the registry path "*\\System\\CurrentControlSet\\Services\\PortProxy\\v4tov4\\tcp*". This activity is significant because netsh.exe can be used to establish a persistent proxy, potentially allowing an attacker to execute a helper DLL whenever netsh.exe runs. If confirmed malicious, this could enable the attacker to maintain persistence, manipulate network configurations, and potentially exfiltrate data or further compromise the system. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path ="*\\System\\CurrentControlSet\\Services\\PortProxy\\v4tov4\\tcp*" by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.action Registry.dest Registry.user | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `windows_proxy_via_registry_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709 +how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: unknown references: - https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/ diff --git a/detections/endpoint/windows_registry_bootexecute_modification.yml b/detections/endpoint/windows_registry_bootexecute_modification.yml index 54110da946..12bec8b289 100644 --- a/detections/endpoint/windows_registry_bootexecute_modification.yml +++ b/detections/endpoint/windows_registry_bootexecute_modification.yml @@ -1,7 +1,7 @@ name: Windows Registry BootExecute Modification id: eabbac3a-45aa-4659-920f-6b8cff383fb8 -version: 4 -date: '2024-11-14' +version: 5 +date: '2024-12-03' author: Michael Haag, Teoderick Contreras, Splunk status: production type: TTP @@ -17,7 +17,7 @@ description: The following analytic detects modifications to the BootExecute reg confirmed malicious, this could allow an attacker to maintain persistence, execute arbitrary code at boot, or disrupt system operations. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE Registry.registry_path="HKLM\\System\\CurrentControlSet\\Control\\Session + WHERE Registry.registry_path="*\\System\\CurrentControlSet\\Control\\Session Manager\\BootExecute" BY Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid, Registry.action | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) diff --git a/detections/endpoint/windows_registry_dotnet_etw_disabled_via_env_variable.yml b/detections/endpoint/windows_registry_dotnet_etw_disabled_via_env_variable.yml new file mode 100644 index 0000000000..f9675493ff --- /dev/null +++ b/detections/endpoint/windows_registry_dotnet_etw_disabled_via_env_variable.yml @@ -0,0 +1,66 @@ +name: Windows Registry Dotnet ETW Disabled Via ENV Variable +id: 55502381-5cce-491b-9277-7cb1d10bc0df +version: 1 +date: '2024-12-08' +author: Nasreddine Bencherchali, Splunk +status: production +type: TTP +description: The following analytic detects a registry modification that disables the ETW for the .NET Framework. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the COMPlus_ETWEnabled registry value under the "Environment" registry key path for both user (HKCU\Environment) and machine (HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment) scopes. This activity is significant because disabling ETW can allow attackers to evade Endpoint Detection and Response (EDR) tools and hide their execution from audit logs. If confirmed malicious, this action could enable attackers to operate undetected, potentially leading to further compromise and persistent access within the environment. +data_source: +- Sysmon EventID 13 +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE Registry.registry_path="*\\Environment*" Registry.registry_value_name="COMPlus_ETWEnabled" (Registry.registry_value_data=0x000000000 OR Registry.registry_value_data=0) BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_registry_dotnet_etw_disabled_via_env_variable_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 +known_false_positives: Setting the "COMPlus_ETWEnabled" value as a global environment variable either in user or machine scope should only happens during debugging use cases, hence the false positives rate should be very minimal. +references: +- https://gist.github.com/Cyb3rWard0g/a4a115fd3ab518a0e593525a379adee3 +- https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/ +- https://attack.mitre.org/techniques/T1562/006/ +drilldown_searches: +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - Windows Registry Abuse + - Windows Defense Evasion Tactics + asset_type: Endpoint + confidence: 100 + impact: 90 + message: Modified registry entry $registry_path$ in $dest$ + mitre_attack_id: + - T1562.006 + - T1562 + observable: + - name: dest + type: Hostname + role: + - Victim + - name: user + type: User + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - Registry.dest + - Registry.registry_value_name + - Registry.registry_key_name + - Registry.registry_path + - Registry.registry_value_data + - Registry.process_guid + risk_score: 90 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.006/dotnet_etw_bypass/dotnet_etw_bypass.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_scmanager_security_descriptor_tampering_via_sc_exe.yml b/detections/endpoint/windows_scmanager_security_descriptor_tampering_via_sc_exe.yml new file mode 100644 index 0000000000..e2d17aab1a --- /dev/null +++ b/detections/endpoint/windows_scmanager_security_descriptor_tampering_via_sc_exe.yml @@ -0,0 +1,75 @@ +name: Windows ScManager Security Descriptor Tampering Via Sc.EXE +id: 04023928-0381-4935-82cb-03372b2ef644 +version: 1 +date: '2024-12-05' +author: Nasreddine Bencherchali, Michael Haag, Splunk +status: production +type: TTP +description: The following analytic detects changes in the ScManager service security descriptor settings. It leverages data from Endpoint Detection and Response (EDR) agents, specifically searching for any process execution involving the "sc.exe" binary with the "sdset" flag targeting the "scmanager" service. If confirmed malicious, this could allow an attacker to escalate their privileges. +data_source: +- Sysmon EventID 1 +- Windows Event Log Security 4688 +- CrowdStrike ProcessRollup2 +search: '| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=sc.exe OR Processes.original_file_name=sc.exe) Processes.process="*sdset *" Processes.process="*scmanager*" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_scmanager_security_descriptor_tampering_via_sc_exe_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process name, and process original file name. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: None identified. Attempts to modify or tamper with the security descriptor settings of the scmanager service should be immediately investigated and understood. +references: +- https://github.com/redcanaryco/atomic-red-team/blob/8ac5c4f84692b11ea2832d18d3dc6f1ce7fb4e41/atomics/T1569.002/T1569.002.md#atomic-test-7---modifying-acl-of-service-control-manager-via-sdet +- https://0xv1n.github.io/posts/scmanager/ +- https://attack.mitre.org/techniques/T1569/002/ +drilldown_searches: +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - Defense Evasion or Unauthorized Access Via SDDL Tampering + asset_type: Endpoint + confidence: 80 + impact: 80 + message: An instance of $parent_process_name$ spawning $process_name$ was identified attempting to disable security services on endpoint $dest$ by user $user$. + mitre_attack_id: + - T1569.002 + observable: + - name: user + type: User + role: + - Victim + - name: dest + type: Hostname + role: + - Victim + - name: process_name + type: Process + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - Processes.dest + - Processes.user + - Processes.parent_process_name + - Processes.parent_process + - Processes.original_file_name + - Processes.process_name + - Processes.process + - Processes.process_id + - Processes.parent_process_path + - Processes.process_path + - Processes.parent_process_id + risk_score: 64 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/scmanager_sddl_tamper/scmanager_sddl_tamper_sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_service_creation_using_registry_entry.yml b/detections/endpoint/windows_service_creation_using_registry_entry.yml index 408380ac63..4e71034d22 100644 --- a/detections/endpoint/windows_service_creation_using_registry_entry.yml +++ b/detections/endpoint/windows_service_creation_using_registry_entry.yml @@ -23,7 +23,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_creation_using_registry_entry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: Third party tools may used this technique to create services but not so common. diff --git a/detections/endpoint/windows_service_execution_remcom.yml b/detections/endpoint/windows_service_execution_remcom.yml new file mode 100644 index 0000000000..522fb40335 --- /dev/null +++ b/detections/endpoint/windows_service_execution_remcom.yml @@ -0,0 +1,78 @@ +name: Windows Service Execution RemCom +id: 7e3d68db-ea4d-419b-adbd-e14a525ecf09 +version: 1 +date: '2024-12-10' +author: Michael Haag, Splunk +type: TTP +status: production +data_source: +- Sysmon EventID 1 +- Windows Event Log Security 4688 +- CrowdStrike ProcessRollup2 +description: The following analytic identifies the execution of RemCom.exe, an open-source alternative to PsExec, used for lateral movement and remote command execution. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, original file names, and command-line arguments. This activity is significant as it indicates potential lateral movement within the network. If confirmed malicious, this could allow an attacker to execute commands remotely, potentially leading to further compromise and control over additional systems within the network. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=remcom.exe OR Processes.original_file_name=RemCom.exe) Processes.process="*\\*" Processes.process IN ("*/user:*", "*/pwd:*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_execution_remcom_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: False positives may be present based on Administrative use. Filter as needed. +references: +- https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/ +- https://github.com/kavika13/RemCom +drilldown_searches: +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - Active Directory Discovery + asset_type: Endpoint + confidence: 50 + impact: 80 + message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to move laterally. + mitre_attack_id: + - T1569.002 + observable: + - name: user + type: User + role: + - Victim + - name: dest + type: Hostname + role: + - Victim + - name: parent_process_name + type: Process + role: + - Attacker + - name: process_name + type: Process + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - Processes.dest + - Processes.user + - Processes.parent_process_name + - Processes.parent_process + - Processes.original_file_name + - Processes.process_name + - Processes.process + - Processes.process_id + - Processes.parent_process_path + - Processes.process_path + - Processes.parent_process_id + risk_score: 40 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/remcom/remcom_windows-sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_sql_spawning_certutil.yml b/detections/endpoint/windows_sql_spawning_certutil.yml index ce2594020a..90317c4a6a 100644 --- a/detections/endpoint/windows_sql_spawning_certutil.yml +++ b/detections/endpoint/windows_sql_spawning_certutil.yml @@ -1,7 +1,7 @@ name: Windows SQL Spawning CertUtil id: dfc18a5a-946e-44ee-a373-c0f60d06e676 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-12-07' author: Michael Haag, Splunk status: experimental type: TTP @@ -10,7 +10,7 @@ data_source: - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 description: The following analytic detects the use of certutil to download software, specifically when spawned by SQL-related processes. This detection leverages Endpoint Detection and Response (EDR) data, focusing on command-line executions involving certutil with parameters like *urlcache* and *split*. This activity is significant as it may indicate a compromise by threat actors, such as Flax Typhoon, who use certutil to establish persistent VPN connections. If confirmed malicious, this behavior could allow attackers to maintain access, monitor system availability, and potentially escalate to data theft or ransomware deployment. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("sqlservr.exe", "sqlagent.exe", "sqlps.exe", "launchpad.exe", "sqldumper.exe") `process_certutil` (Processes.process=*urlcache* Processes.process=*split*) OR Processes.process=*urlcache* by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.original_file_name Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_sql_spawning_certutil_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("sqlservr.exe", "sqlagent.exe", "sqlps.exe", "launchpad.exe", "sqldumper.exe") `process_certutil` (Processes.process="*urlcache*" OR Processes.process="*verifyctl*") by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.original_file_name Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_sql_spawning_certutil_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: The occurrence of false positives should be minimal, given that the SQL agent does not typically download software using CertUtil. references: diff --git a/detections/endpoint/windows_subinacl_execution.yml b/detections/endpoint/windows_subinacl_execution.yml new file mode 100644 index 0000000000..85d5ba0aa6 --- /dev/null +++ b/detections/endpoint/windows_subinacl_execution.yml @@ -0,0 +1,74 @@ +name: Windows SubInAcl Execution +id: 12491419-1a6f-4af4-afc3-4e2052f0610e +version: 1 +date: '2024-12-05' +author: Nasreddine Bencherchali, Michael Haag, Splunk +status: production +type: Anomaly +description: The following analytic detects the execution of the SubInAcl utility. SubInAcl is a legacy Windows Resource Kit tool from the Windows 2003 era, used to manipulate security descriptors of securable objects. It leverages data from Endpoint Detection and Response (EDR) agents, specifically searching for any process execution involving "SubInAcl.exe" binary. This activity can be significant because the utility should be rarely found on modern Windows machines, which mean any execution could potentially be considered suspicious. If confirmed malicious, this could allow an attacker to blind defenses by tampering with EventLog ACLs or modifying the access to a previously denied resource. +data_source: +- Sysmon EventID 1 +- Windows Event Log Security 4688 +- CrowdStrike ProcessRollup2 +search: '| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=subinacl.exe OR Processes.original_file_name=SubInAcl.exe) by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_subinacl_execution_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process name, and process original file name. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: None identified. Attempts to disable security-related services should be identified and understood. +references: +- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf +- https://attack.mitre.org/techniques/T1222/001/ +drilldown_searches: +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - Defense Evasion or Unauthorized Access Via SDDL Tampering + asset_type: Endpoint + confidence: 40 + impact: 40 + message: An instance of $parent_process_name$ spawning $process_name$ was identified attempting to disable security services on endpoint $dest$ by user $user$. + mitre_attack_id: + - T1222.001 + observable: + - name: user + type: User + role: + - Victim + - name: dest + type: Hostname + role: + - Victim + - name: process_name + type: Process + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - Processes.dest + - Processes.user + - Processes.parent_process_name + - Processes.parent_process + - Processes.original_file_name + - Processes.process_name + - Processes.process + - Processes.process_id + - Processes.parent_process_path + - Processes.process_path + - Processes.parent_process_id + risk_score: 16 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/subinacl/subinacl_sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/lookups/ransomware_extensions_20231219.csv b/lookups/ransomware_extensions_20231219.csv deleted file mode 100644 index 85a53a6a11..0000000000 --- a/lookups/ransomware_extensions_20231219.csv +++ /dev/null @@ -1,303 +0,0 @@ -Extensions,Name -.enc,.CryptoHasYou. -.777,777 -.R4A,7ev3n -.R5A,7ev3n -.7h9r,7h9r -.8lock8,8lock8 -.encrypt,Alpha Ransomware -.amba,AMBA -.adk,Angry Duck -.encrypted,Apocalypse -.SecureCrypted,Apocalypse -.FuckYourData,Apocalypse -.unavailable,Apocalypse -.bleepYourFiles,Apocalypse -.Where_my_files.txt,Apocalypse -.encrypted,ApocalypseVM -.locked,ApocalypseVM -.locky,AutoLocky -.adr,BaksoCrypt -.avos,AvosLocker -.avos2,AvosLocker -.avoslinux,AvosLocker -.bart.zip,Bart -.bart,Bart -.perl,Bart -.clf,BitCryptor -.bitstak,BitStak -.Silent,BlackShades Crypter -.blocatto,Blocatto -.cry,Central Security Treatment Organization -.cerber,Cerber -.cerber2,Cerber -.cerber3,Cerber -.clf,CoinVault -.coverton,Coverton -.enigma,Coverton -.czvxce,Coverton -.criptiko,CryFile -.criptoko,CryFile -.criptokod,CryFile -.cripttt,CryFile -.aga,CryFile -.cry,CryLocker -.ENCRYPTED,Crypren -.crypt38,Crypt38 -.scl,CryptFIle2 -.crinf,CryptInfinite -.frtrss,CryptoFortress -.clf,CryptoGraphic Locker -.crjoker,CryptoJoker -.encrypted ,CryptoLocker -.ENC,CryptoLocker -.code,CryptoMix -.scl,CryptoMix -.crptrgr,CryptoRoger -.locked,CryptoShocker -.CryptoTorLocker2015!,CryptoTorLocker2015 -.crypt,CryptXXX -.crypt,CryptXXX 2.0 -.crypt,CryptXXX 3.0 -.cryp1,CryptXXX 3.0 -.crypz,CryptXXX 3.0 -.cryptz,CryptXXX 3.0 -.cryp1,CryptXXX 3.1 -.ctbl,CTB-Locker -.encrypted,CuteRansomware -.ded,DEDCryptor -.domino,Domino -.locked,EDA2 / HiddenTear -.isis,EduCrypt -.locked,EduCrypt -.ha3,El-Polocker -.enigma,Enigma -.1txt,Enigma -.exotic,Exotic -.locked,Fakben -.fantom,Fantom -.Z81928819,GhostCrypt -.purge,Globe v1 -.globe,Globe v3 -.locked,GNL Locker -.crypt,Gomasom -.herbst,Herbst -.cry,Hi Buddy! -.locky,Hucky -.crime,iLock -.crime,iLockLight -.btc,Jigsaw -.kkk,Jigsaw -.fun,Jigsaw -.gws,Jigsaw -.porno,Jigsaw -.payransom,Jigsaw -.payms,Jigsaw -.paymst,Jigsaw -.AFD,Jigsaw -.paybtcs,Jigsaw -.epic,Jigsaw -.xyz,Jigsaw -.locked,Job Crypter -.encrypted,KeRanger -.keybtc@inbox_com,KeyBTC -.rip,Killer Locker -.kimcilware,KimcilWare -.locked,KimcilWare -.kostya,Kostya -.kratos,KratosCrypt -.LeChiffre,LeChiffre -.locky,Locky -.zepto,Locky -.odin,Locky -.shit,Locky -.thor,Locky -.asier,Locky -.zzzzz,Locky -.osiris,Locky -.lock93,Lock93 -.crime,Lortok -.oor,LowLevel04 -.magic,Magic -.Lock,MIRCOP -.fucked,MireWare -.fuck,MireWare -.locked,MM Locker -.KEYZ,Mobef -.KEYH0LES,Mobef -.crypted,Nemucod -.odcodc,ODCODC -.cbf,Offline ransomware -.LOL!,OMG! Ransomware -.OMG!,OMG! Ransomware -.padcrypt,PadCrypt -.locked,Philadelphia -.locked,PokemonGO -.filock,Popcorn Time -.locky,PowerWare -.crypt,R980 -.locked,RAA encryptor -.RDM,Radamant -.RRK,Radamant -.RAD,Radamant -.RADAMANT,Radamant -.locked,Rakhni -.kraken,Rakhni -.darkness,Rakhni -.nochance,Rakhni -.oshit,Rakhni -.oplata@qq_com,Rakhni -.relock@qq_com,Rakhni -.crypto,Rakhni -.helpdecrypt@ukr.net,Rakhni -.pizda@qq_com,Rakhni -.dyatel@qq_com,Rakhni -._ryp,Rakhni -.nalog@qq_com,Rakhni -.chifrator@qq_com,Rakhni -.gruzin@qq_com,Rakhni -.troyancoder@qq_com,Rakhni -.encrypted,Rakhni -.cry,Rakhni -.AES256,Rakhni -.enc,Rakhni -.hb15,Rakhni -.vscrypt,Rector -.infected,Rector -.bloc,Rector -.korrektor,Rector -.rekt,RektLocker -.remind,RemindMe -.crashed,RemindMe -.rokku,Rokku -.encryptedAES,Samas-Samsam -.encryptedRSA,Samas-Samsam -.encedRSA,Samas-Samsam -.justbtcwillhelpyou,Samas-Samsam -.btcbtcbtc,Samas-Samsam -.btc-help-you,Samas-Samsam -.only-we_can-help_you,Samas-Samsam -.iwanthelpuuu,Samas-Samsam -.notfoundrans,Samas-Samsam -.encmywork,Samas-Samsam -.weapologize,Samas-Samsam -.stubbin,Samas-Samsam -.areyoulovemyrans,Samas-Samsam -.loveransisgood,Samas-Samsam -.myransext2017,Samas-Samsam -.disposed2017,Samas-Samsam -.prosperous666,Samas-Samsam -.supported2017,Samas-Samsam -.country82000,Samas-Samsam -.moments2900,Samas-Samsam -.breeding123,Samas-Samsam -.mention9823,Samas-Samsam -.suppose666,Samas-Samsam -.skjdthghh,Samas-Samsam -.cifgksaffsfyghd,Samas-Samsam -.iaufkakfhsaraf,Samas-Samsam -.filegofprencrp,Samas-Samsam -.weencedufiles,Samas-Samsam -.encryptedyourfiles,Samas-Samsam -.letmetrydecfiles,Samas-Samsam -.otherinformation,Samas-Samsam -.weareyourfriends,Samas-Samsam -.noproblemwedecfiles,Samas-Samsam -.powerfulldecrypt,Samas-Samsam -.wowreadfordecryp,Samas-Samsam -.wowwhereismyfiles,Samas-Samsam -.helpmeencedfiles,Samas-Samsam -.theworldisyours,Samas-Samsam -.vekanhelpu,Samas-Samsam -.howcanihelpusir,Samas-Samsam -.VforVendetta,Samas-Samsam -.checkdiskenced,Samas-Samsam -.goforhelp,Samas-Samsam -.iloveworld,Samas-Samsam -.canihelpyou,Samas-Samsam -.AreYouLoveMyRansFile,Samas-Samsam -.fucku,Samas-Samsam -.happenencedfiles,Samas-Samsam -.iwishiyou,Samas-Samsam -.powerfulldecryp,Samas-Samsam -.suppose665,Samas-Samsam -.Whereisyourfiles,Samas-Samsam -.sanction,Sanction -.locked,Shark -.shino,ShinoLocker -.locked,SkidLocker / Pompous -.encrypted,Smrss32 -.RSNSlocked,SNSLocker -.RSplited,SNSLocker -.sport,Sport -.locked,Stampado -.locked,Strictor -.surprise,Surprise -.tzu,Surprise -.szf,SZFLocker -.xcri,TeleCrypt -.vvv,TeslaCrypt 0.x - 2.2.0 -.ecc,TeslaCrypt 0.x - 2.2.0 -.exx,TeslaCrypt 0.x - 2.2.0 -.ezz,TeslaCrypt 0.x - 2.2.0 -.abc,TeslaCrypt 0.x - 2.2.0 -.aaa,TeslaCrypt 0.x - 2.2.0 -.zzz,TeslaCrypt 0.x - 2.2.0 -.xyz,TeslaCrypt 0.x - 2.2.0 -.micro,TeslaCrypt 3.0+ -.xxx,TeslaCrypt 3.0+ -.ttt,TeslaCrypt 3.0+ -.mp3,TeslaCrypt 3.0+ -.Encrypted,TorrentLocker -.enc,TorrentLocker -.toxcrypt,Toxcrypt -.better_call_saul,Troldesh -.xtbl,Troldesh -.da_vinci_code,Troldesh -.windows10,Troldesh -.enc,TrueCrypter -.locked,Turkish Ransom -.H3LL,Ungluk -.0x0,Ungluk -.1999,Ungluk -.CRRRT,Unlock92 -.CCCRRRPPP,Unlock92 -.vault,VaultCrypt -.xort,VaultCrypt -.trun,VaultCrypt -.Venusf,VenusLocker -.Venusp,VenusLocker -.CrySiS,Virus-Encoder -.xtbl,Virus-Encoder -.wflx,WildFire Locker -.EnCiPhErEd,Xorist -.73i87A,Xorist -.p5tkjw,Xorist -.PoAr2w,Xorist -.fileiscryptedhard,Xorist -.encoderpass,Xorist -.zc3791,Xorist -.xrtn,XRTN -.zcrypt,Zcrypt -.crypto,Zimbra -.vault,Zlader / Russian -.zyklon,Zyklon -.wncry,WannaCry -.wcry,WannaCry -.wnry,WannaCry -.wncryt,WannaCry -.WNCRYT,WannaCry -.RYK,Ryuk -.Clop,Clop -.Cllp,Clop -.JSWORM,JSWorm -.NEMTY_*,Nemty -.NEFILIM,Nefilim -.OFFWHITE,Offwhite -.TELEGRAM,Telegram -.FUSION,Fusion -.MILIHPEN,Milihpen -.GANGBANG,Gangbang -.reddot,RedDot -.MEDUSA,Medusa -.rhysida,Rhysida \ No newline at end of file diff --git a/lookups/ransomware_extensions_20241212.csv b/lookups/ransomware_extensions_20241212.csv new file mode 100644 index 0000000000..38cca70a09 --- /dev/null +++ b/lookups/ransomware_extensions_20241212.csv @@ -0,0 +1,303 @@ +Extensions,Name +*.enc,.CryptoHasYou. +*.777,777 +*.R4A,7ev3n +*.R5A,7ev3n +*.7h9r,7h9r +*.8lock8,8lock8 +*.encrypt,Alpha Ransomware +*.amba,AMBA +*.adk,Angry Duck +*.encrypted,Apocalypse +*.SecureCrypted,Apocalypse +*.FuckYourData,Apocalypse +*.unavailable,Apocalypse +*.bleepYourFiles,Apocalypse +*.Where_my_files.txt,Apocalypse +*.encrypted,ApocalypseVM +*.locked,ApocalypseVM +*.locky,AutoLocky +*.adr,BaksoCrypt +*.avos,AvosLocker +*.avos2,AvosLocker +*.avoslinux,AvosLocker +*.bart.zip,Bart +*.bart,Bart +*.perl,Bart +*.clf,BitCryptor +*.bitstak,BitStak +*.Silent,BlackShades Crypter +*.blocatto,Blocatto +*.cry,Central Security Treatment Organization +*.cerber,Cerber +*.cerber2,Cerber +*.cerber3,Cerber +*.clf,CoinVault +*.coverton,Coverton +*.enigma,Coverton +*.czvxce,Coverton +*.criptiko,CryFile +*.criptoko,CryFile +*.criptokod,CryFile +*.cripttt,CryFile +*.aga,CryFile +*.cry,CryLocker +*.ENCRYPTED,Crypren +*.crypt38,Crypt38 +*.scl,CryptFIle2 +*.crinf,CryptInfinite +*.frtrss,CryptoFortress +*.clf,CryptoGraphic Locker +*.crjoker,CryptoJoker +*.encrypted ,CryptoLocker +*.ENC,CryptoLocker +*.code,CryptoMix +*.scl,CryptoMix +*.crptrgr,CryptoRoger +*.locked,CryptoShocker +*.CryptoTorLocker2015!,CryptoTorLocker2015 +*.crypt,CryptXXX +*.crypt,CryptXXX 2.0 +*.crypt,CryptXXX 3.0 +*.cryp1,CryptXXX 3.0 +*.crypz,CryptXXX 3.0 +*.cryptz,CryptXXX 3.0 +*.cryp1,CryptXXX 3.1 +*.ctbl,CTB-Locker +*.encrypted,CuteRansomware +*.ded,DEDCryptor +*.domino,Domino +*.locked,EDA2 / HiddenTear +*.isis,EduCrypt +*.locked,EduCrypt +*.ha3,El-Polocker +*.enigma,Enigma +*.1txt,Enigma +*.exotic,Exotic +*.locked,Fakben +*.fantom,Fantom +*.Z81928819,GhostCrypt +*.purge,Globe v1 +*.globe,Globe v3 +*.locked,GNL Locker +*.crypt,Gomasom +*.herbst,Herbst +*.cry,Hi Buddy! +*.locky,Hucky +*.crime,iLock +*.crime,iLockLight +*.btc,Jigsaw +*.kkk,Jigsaw +*.fun,Jigsaw +*.gws,Jigsaw +*.porno,Jigsaw +*.payransom,Jigsaw +*.payms,Jigsaw +*.paymst,Jigsaw +*.AFD,Jigsaw +*.paybtcs,Jigsaw +*.epic,Jigsaw +*.xyz,Jigsaw +*.locked,Job Crypter +*.encrypted,KeRanger +*.keybtc@inbox_com,KeyBTC +*.rip,Killer Locker +*.kimcilware,KimcilWare +*.locked,KimcilWare +*.kostya,Kostya +*.kratos,KratosCrypt +*.LeChiffre,LeChiffre +*.locky,Locky +*.zepto,Locky +*.odin,Locky +*.shit,Locky +*.thor,Locky +*.asier,Locky +*.zzzzz,Locky +*.osiris,Locky +*.lock93,Lock93 +*.crime,Lortok +*.oor,LowLevel04 +*.magic,Magic +*.Lock,MIRCOP +*.fucked,MireWare +*.fuck,MireWare +*.locked,MM Locker +*.KEYZ,Mobef +*.KEYH0LES,Mobef +*.crypted,Nemucod +*.odcodc,ODCODC +*.cbf,Offline ransomware +*.LOL!,OMG! Ransomware +*.OMG!,OMG! Ransomware +*.padcrypt,PadCrypt +*.locked,Philadelphia +*.locked,PokemonGO +*.filock,Popcorn Time +*.locky,PowerWare +*.crypt,R980 +*.locked,RAA encryptor +*.RDM,Radamant +*.RRK,Radamant +*.RAD,Radamant +*.RADAMANT,Radamant +*.locked,Rakhni +*.kraken,Rakhni +*.darkness,Rakhni +*.nochance,Rakhni +*.oshit,Rakhni +*.oplata@qq_com,Rakhni +*.relock@qq_com,Rakhni +*.crypto,Rakhni +*.helpdecrypt@ukr.net,Rakhni +*.pizda@qq_com,Rakhni +*.dyatel@qq_com,Rakhni +*._ryp,Rakhni +*.nalog@qq_com,Rakhni +*.chifrator@qq_com,Rakhni +*.gruzin@qq_com,Rakhni +*.troyancoder@qq_com,Rakhni +*.encrypted,Rakhni +*.cry,Rakhni +*.AES256,Rakhni +*.enc,Rakhni +*.hb15,Rakhni +*.vscrypt,Rector +*.infected,Rector +*.bloc,Rector +*.korrektor,Rector +*.rekt,RektLocker +*.remind,RemindMe +*.crashed,RemindMe +*.rokku,Rokku +*.encryptedAES,Samas-Samsam +*.encryptedRSA,Samas-Samsam +*.encedRSA,Samas-Samsam +*.justbtcwillhelpyou,Samas-Samsam +*.btcbtcbtc,Samas-Samsam +*.btc-help-you,Samas-Samsam +*.only-we_can_help_you,Samas-Samsam +*.iwanthelpuuu,Samas-Samsam +*.notfoundrans,Samas-Samsam +*.encmywork,Samas-Samsam +*.weapologize,Samas-Samsam +*.stubbin,Samas-Samsam +*.areyoulovemyrans,Samas-Samsam +*.loveransisgood,Samas-Samsam +*.myransext2017,Samas-Samsam +*.disposed2017,Samas-Samsam +*.prosperous666,Samas-Samsam +*.supported2017,Samas-Samsam +*.country82000,Samas-Samsam +*.moments2900,Samas-Samsam +*.breeding123,Samas-Samsam +*.mention9823,Samas-Samsam +*.suppose666,Samas-Samsam +*.skjdthghh,Samas-Samsam +*.cifgksaffsfyghd,Samas-Samsam +*.iaufkakfhsaraf,Samas-Samsam +*.filegofprencrp,Samas-Samsam +*.weencedufiles,Samas-Samsam +*.encryptedyourfiles,Samas-Samsam +*.letmetrydecfiles,Samas-Samsam +*.otherinformation,Samas-Samsam +*.weareyourfriends,Samas-Samsam +*.noproblemwedecfiles,Samas-Samsam +*.powerfulldecrypt,Samas-Samsam +*.wowreadfordecryp,Samas-Samsam +*.wowwhereismyfiles,Samas-Samsam +*.helpmeencedfiles,Samas-Samsam +*.theworldisyours,Samas-Samsam +*.vekanhelpu,Samas-Samsam +*.howcanihelpusir,Samas-Samsam +*.VforVendetta,Samas-Samsam +*.checkdiskenced,Samas-Samsam +*.goforhelp,Samas-Samsam +*.iloveworld,Samas-Samsam +*.canihelpyou,Samas-Samsam +*.AreYouLoveMyRansFile,Samas-Samsam +*.fucku,Samas-Samsam +*.happenencedfiles,Samas-Samsam +*.iwishiyou,Samas-Samsam +*.powerfulldecryp,Samas-Samsam +*.suppose665,Samas-Samsam +*.Whereisyourfiles,Samas-Samsam +*.sanction,Sanction +*.locked,Shark +*.shino,ShinoLocker +*.locked,SkidLocker / Pompous +*.encrypted,Smrss32 +*.RSNSlocked,SNSLocker +*.RSplited,SNSLocker +*.sport,Sport +*.locked,Stampado +*.locked,Strictor +*.surprise,Surprise +*.tzu,Surprise +*.szf,SZFLocker +*.xcri,TeleCrypt +*.vvv,TeslaCrypt 0.x - 2.2.0 +*.ecc,TeslaCrypt 0.x - 2.2.0 +*.exx,TeslaCrypt 0.x - 2.2.0 +*.ezz,TeslaCrypt 0.x - 2.2.0 +*.abc,TeslaCrypt 0.x - 2.2.0 +*.aaa,TeslaCrypt 0.x - 2.2.0 +*.zzz,TeslaCrypt 0.x - 2.2.0 +*.xyz,TeslaCrypt 0.x - 2.2.0 +*.micro,TeslaCrypt 3.0+ +*.xxx,TeslaCrypt 3.0+ +*.ttt,TeslaCrypt 3.0+ +*.mp3,TeslaCrypt 3.0+ +*.Encrypted,TorrentLocker +*.enc,TorrentLocker +*.toxcrypt,Toxcrypt +*.better_call_saul,Troldesh +*.xtbl,Troldesh +*.da_vinci_code,Troldesh +*.windows10,Troldesh +*.enc,TrueCrypter +*.locked,Turkish Ransom +*.H3LL,Ungluk +*.0x0,Ungluk +*.1999,Ungluk +*.CRRRT,Unlock92 +*.CCCRRRPPP,Unlock92 +*.vault,VaultCrypt +*.xort,VaultCrypt +*.trun,VaultCrypt +*.Venusf,VenusLocker +*.Venusp,VenusLocker +*.CrySiS,Virus-Encoder +*.xtbl,Virus-Encoder +*.wflx,WildFire Locker +*.EnCiPhErEd,Xorist +*.73i87A,Xorist +*.p5tkjw,Xorist +*.PoAr2w,Xorist +*.fileiscryptedhard,Xorist +*.encoderpass,Xorist +*.zc3791,Xorist +*.xrtn,XRTN +*.zcrypt,Zcrypt +*.crypto,Zimbra +*.vault,Zlader / Russian +*.zyklon,Zyklon +*.wncry,WannaCry +*.wcry,WannaCry +*.wnry,WannaCry +*.wncryt,WannaCry +*.WNCRYT,WannaCry +*.RYK,Ryuk +*.Clop,Clop +*.Cllp,Clop +*.JSWORM,JSWorm +*.NEMTY_*,Nemty +*.NEFILIM,Nefilim +*.OFFWHITE,Offwhite +*.TELEGRAM,Telegram +*.FUSION,Fusion +*.MILIHPEN,Milihpen +*.GANGBANG,Gangbang +*.reddot,RedDot +*.MEDUSA,Medusa +*.rhysida,Rhysida \ No newline at end of file diff --git a/lookups/ransomware_extensions_lookup.yml b/lookups/ransomware_extensions_lookup.yml index e86befe1c4..41bb4c2b93 100644 --- a/lookups/ransomware_extensions_lookup.yml +++ b/lookups/ransomware_extensions_lookup.yml @@ -1,6 +1,6 @@ default_match: 'false' description: A list of file extensions that are associated with ransomware -filename: ransomware_extensions_20231219.csv +filename: ransomware_extensions_20241212.csv match_type: WILDCARD(Extensions) min_matches: 1 name: ransomware_extensions_lookup diff --git a/macros/ransomware_extensions.yml b/macros/ransomware_extensions.yml index c9de5c4ad0..fde2314d76 100644 --- a/macros/ransomware_extensions.yml +++ b/macros/ransomware_extensions.yml @@ -1,5 +1,4 @@ -definition: lookup update=true ransomware_extensions_lookup Extensions AS file_extension - OUTPUT Name | search Name !=False +definition: lookup update=true ransomware_extensions_lookup Extensions AS file_name OUTPUT Extensions Name | search Name !=False description: This macro limits the output to files that have extensions associated with ransomware name: ransomware_extensions diff --git a/stories/cisa_aa23_347a.yml b/stories/cisa_aa23_347a.yml index 2c6497d453..b792b6a09a 100644 --- a/stories/cisa_aa23_347a.yml +++ b/stories/cisa_aa23_347a.yml @@ -1,7 +1,7 @@ name: CISA AA23-347A id: 257a2f28-fcbe-4226-8d1f-957880098331 -version: 2 -date: '2023-12-14' +version: 3 +date: '2024-12-09' author: Teoderick Contreras, Rod Soto, Splunk description: Leverage searches that allow you to detect and investigate unusual activities that might be related to the SVR cyber activity tactics and techniques. While SVR followed a similar playbook in each compromise, @@ -14,7 +14,7 @@ narrative: SVR cyber operations pose a persistent threat to public and private o and foreign counterintelligence. The SVR also conducts cyber operations targeting technology companies that enable future cyber operations. The SVR's recent operation has targeted networks hosting TeamCity servers, further underscoring its persistent focus on technology companies. By leveraging CVE-2023-42793, a vulnerability within a software development program, the SVR seeks to gain access to victims, potentially - compromising numerous software developers' networks. JetBrains responded to this threat by issuing a patch in mid-September 2023, limting the SVR's + compromising numerous software developers' networks. JetBrains responded to this threat by issuing a patch in mid-September 2023, limiting the SVR's ability to exploit Internet-accessible TeamCity servers lacking the necessary updates. Despite this mitigation, the SVR has yet to utilize its acquired access to software developers' networks for breaching customer systems. It appears that the SVR is still in the preparatory stages of its operation. references: diff --git a/stories/cleo_file_transfer_software.yml b/stories/cleo_file_transfer_software.yml new file mode 100644 index 0000000000..1a107919a1 --- /dev/null +++ b/stories/cleo_file_transfer_software.yml @@ -0,0 +1,20 @@ +name: Cleo File Transfer Software +id: 058be65c-f007-4a3a-90f6-d2604f98a18b +version: 1 +date: '2024-12-11' +author: Michael Haag, Splunk +description: This analytic story addresses the exploitation of Cleo file transfer software products (LexiCom, VLTrader, and Harmony) through CVE-2024-50623. This vulnerability allows unauthenticated attackers to execute arbitrary system commands through the web interface, potentially leading to remote code execution and system compromise. +narrative: In December 2024, threat actors began actively exploiting a critical vulnerability (CVE-2024-50623) in Cleo's file transfer software suite. The vulnerability affects multiple Cleo products including LexiCom, VLTrader, and Harmony. Attackers can exploit this flaw to execute system commands without authentication through the web interface, typically leveraging PowerShell commands for payload delivery and execution. The exploitation often involves accessing the software's autorun functionality and web interface to deploy malicious commands, potentially leading to data theft, ransomware deployment, or establishment of persistent access. Common installation paths include C:\LexiCom, C:\VLTrader, and C:\Harmony, with critical activity logged in their respective XML log files. +references: +- https://www.rapid7.com/blog/post/2024/12/10/etr-widespread-exploitation-of-cleo-file-transfer-software-cve-2024-50623/ +- https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild +tags: + category: + - Adversary Tactics + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection + cve: + - CVE-2024-50623 diff --git a/stories/defense_evasion_or_unauthorized_access_via_sddl_tampering.yml b/stories/defense_evasion_or_unauthorized_access_via_sddl_tampering.yml new file mode 100644 index 0000000000..10ab15d858 --- /dev/null +++ b/stories/defense_evasion_or_unauthorized_access_via_sddl_tampering.yml @@ -0,0 +1,23 @@ +name: Defense Evasion or Unauthorized Access Via SDDL Tampering +id: 8ccdd852-3878-4871-ae37-e5af5c67baf3 +version: 1 +date: '2024-12-06' +author: Nasreddine Bencherchali, Michael Haag, Splunk +description: This analytic story focuses on detecting potential defense evasion or unauthorized access attempts through tampering with Security Descriptor Definition Language (SDDL) settings. Attackers may modify SDDL configurations to alter permissions on critical system components, such as event logs and services, to obscure their activities or gain unauthorized access. This story includes detections for changes to 'ChannelAccess' and 'CustomSD' registry values, as well as the use of tools like 'sc.exe sdset', 'icacls' and 'subinacl' to modify securable objects (files, registry, services, etc) permissions. +narrative: Adversaries may attempt to evade detection or gain unauthorized access by modifying ACLs or Security Descriptors of different securable objects on the Windows operating system. By altering these settings, attackers can grant themselves elevated privileges or suppress logging mechanisms, thereby hindering detection and response efforts. Monitoring changes to critical registry values and the execution of specific tools used for SDDL modifications can help identify such malicious activities. +references: +- https://web.archive.org/web/20220710181255/https://blog.minerva-labs.com/lockbit-3.0-aka-lockbit-black-is-here-with-a-new-icon-new-ransom-note-new-wallpaper-but-less-evasiveness +- https://learn.microsoft.com/en-us/troubleshoot/windows-server/group-policy/set-event-log-security-locally-or-via-group-policy +- https://0xv1n.github.io/posts/scmanager/ +- https://www.sans.org/blog/red-team-tactics-hiding-windows-services/ +- https://news.sophos.com/wp-content/uploads/2020/06/glupteba_final-1.pdf +- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf +- https://www.welivesecurity.com/en/eset-research/romcom-exploits-firefox-and-windows-zero-days-in-the-wild/ +tags: + category: + - Adversary Tactics + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection